[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"

2022-05-23 Thread Andreas Hasenack
Fixed in https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-6

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/827151

Title:
  Annoying log message "DIGEST-MD5 common mech free"

Status in Cyrus-sasl2:
  Fix Released
Status in cyrus-sasl2 package in Ubuntu:
  Triaged
Status in cyrus-sasl2 source package in Trusty:
  Won't Fix
Status in cyrus-sasl2 source package in Xenial:
  Incomplete
Status in cyrus-sasl2 source package in Yakkety:
  Fix Released
Status in cyrus-sasl2 source package in Focal:
  Triaged
Status in cyrus-sasl2 source package in Impish:
  Triaged
Status in cyrus-sasl2 source package in Jammy:
  In Progress
Status in cyrus-sasl2 package in Debian:
  Fix Released

Bug description:
  I recently updated the libsasl2-modules to 
2.1.24~rc1.dfsg1+cvs2011-05-23-4ubuntu1 in oneiric.
  That triggered the bug also described in Debian here: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932

  The annoying message is logged in auth.log. In my case, it is associated with 
svnserve:
  svnserve: DIGEST-MD5 common mech free

  I'm not exactly sure what action triggers the message, but I can
  investigate more if required.

  $ lsb_release -rd
  Description:Ubuntu oneiric (development branch)
  Release:11.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic

2022-05-23 Thread Andreas Hasenack
It's back to being a sync: https://launchpad.net/ubuntu/+source/cyrus-
sasl2/2.1.28+dfsg-6

** Changed in: cyrus-sasl2 (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1971272

Title:
  Merge cyrus-sasl2 from Debian unstable for kinetic

Status in cyrus-sasl2 package in Ubuntu:
  Fix Released

Bug description:
  Upstream: tbd
  Debian:   2.1.28+dfsg-4
  Ubuntu:   2.1.27+dfsg2-3ubuntu1


  Debian does new releases regularly, so it's likely there will be newer
  versions available before FF that we can pick up if this merge is done
  later in the cycle.

  
  ### New Debian Changes ###

  cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium

* d/copyright: java/* files were removed upstream
* d/copyright: Reformat the default license's margin
* d/copyright: Add project's license to include/makemd5.c
* Move SCRAM to libsasl2-modules (Closes: #977360)
* Install additional GS2 module for Heimdal
* Remove Roberto from the Uploaders
* Drop 0005-Fixes-in-library-mutexes.patch
* Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch
* Remove former logcheck conffile (Closes: #1009851)
* lintian: Fix excessive-priority-for-library-package
* lintian: Fix package-contains-empty-directory

   -- Bastian Germann   Wed, 20 Apr 2022 01:01:01 +0200

  cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high

* Set MIT/Heimdal CFLAGS instead of CPPFLAGS
* Drop unnecessary 0027-properly-create-libsasl2.pc.patch
* Prevent installing outdated ChangeLog (Closes: #1009681)
* Remove debug log message and its logcheck rule (Closes: #805310)
* Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380)
* Get rid of broken README.configure-options
* Add sasldbconverter2.8 manpage
* d/copyright: Add missing KTH license
* Install libsasl.5 manpage

[ Debian Janitor ]
* Remove constraints unnecessary since buster

   -- Bastian Germann   Fri, 15 Apr 2022 12:02:13 +0200

  cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium

* Remove cruft

   -- Bastian Germann   Fri, 25 Feb 2022 18:58:54 +0100

  cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium

* Drop upstream patches
* Import new release signing key
* Reset repacksuffix
* New upstream version 2.1.28+dfsg (CVE-2022-24407)
* Rebase 0027-properly-create-libsasl2.pc.patch

   -- Bastian Germann   Tue, 22 Feb 2022 23:40:47 +0100

  cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium

    [ Andreas Hasenack ]
* Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152)

   -- Bastian Germann   Tue, 11 Jan 2022 11:25:37 +0100

  cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium

[ Helmut Grohne ]
* Fix FTCBFS: (Closes: #928512)
  + cross.patch: Support caching SPNEGO support test.
  + Provide SPNEGO support test result.

[ Vagrant Cascadian ]
* Set date in man pages (Closes: #995145)

   -- Bastian Germann   Wed, 17 Nov 2021 01:23:49 +0100

  cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium

* Add bage to uploaders (Closes: #799864)
* Use upstream patches where possible
* Amend off-by-one in _sasl_add_string function
* Replace some patches by upstream equivalents
* Apply the patches in order of to their prefixes
* Add missing caret (^) in logcheck rule (Closes: #830764)
* Remove unnecessary GPL copy
* Add missing copyright/licenses
* Repack, getting rid of more problematic files
* Build html documentation
* Make the package rebuildable
* Remove outdated README.Debian info
* Disable autostart via debhelper
* Drop unnecessary patch
* Remove alternative, old build dep libmysqlclient-dev
  Annotate documentation Build-Depends with :native

[ Frédéric Brière ]
* Make logcheck snippet compatible with systemd journal

   -- Bastian Germann   Sun, 14 Nov 2021 14:11:18 +0100

  cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium

* Non-maintainer upload.
* d/watch: Check the github releases page
* Get rid of a patch's patch
* Recover upstream-compatible patch license (Closes: #996866)
  + Relicense libobj patch
* Fix lintian: unused-override


  ### Old Ubuntu Delta ###

  cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium

* SECURITY UPDATE: SQL injection in SQL plugin
  - debian/patches/CVE-2022-24407.patch: escape password for SQL
insert/update commands in plugins/sql.c.
  - CVE-2022-24407

   -- Marc Deslauriers   Tue, 22 Feb 2022
  14:17:18 -0500

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~to

[Touch-packages] [Bug 1677781] Re: Missing dep8 tests

2022-05-23 Thread Andreas Hasenack
Fixed in https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-6

** Changed in: cyrus-sasl2 (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1677781

Title:
  Missing dep8 tests

Status in cyrus-sasl2 package in Ubuntu:
  Fix Released

Bug description:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256

  As of March 29, 2017, this source package did not contain dep8 tests in
  the current development release of Ubuntu, named Zesty. This was
  determined by running `pull-lp-source cyrus-sasl2 zesty` and then
  checking for the existence of 'debian/tests/' and
  'debian/tests/control'.

  Test automation is essential to higher levels of quality and confidence
  in updates to packages. dep8 tests [1] specify how automatic testing can
  be integrated into packages and then run by package maintainers before
  new uploads.

  This defect is to report the absence of these tests and to report the
  opportunity as a potential item for development by both new and
  experienced contributors.

  [1] http://packaging.ubuntu.com/html/auto-pkg-test.html

   affects ubuntu/cyrus-sasl2
   status new
   importance wishlist
   tag needs-dep8

  - ---
  Joshua Powers
  Ubuntu Server
  Canonical Ltd

  -BEGIN PGP SIGNATURE-

  iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj
  JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1
  3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR
  wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe
  4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY
  nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz
  iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5
  WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5
  Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort
  CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY
  ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G
  WY9JzBOc6MUi46Hh9ZN5
  =szTz
  -END PGP SIGNATURE-

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128

2022-05-23 Thread Andreas Hasenack
Fixed in https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-6

** Changed in: cyrus-sasl2 (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  Fix Released
Status in cyrus-sasl2 package in Debian:
  Fix Released

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128

2022-05-20 Thread Andreas Hasenack
A fixed cyrus-sasl2 is in kinetic-proposed.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  In Progress
Status in cyrus-sasl2 package in Debian:
  New

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128

2022-05-19 Thread Andreas Hasenack
Bileto is green: https://bileto.ubuntu.com/#/ticket/4852

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  In Progress
Status in cyrus-sasl2 package in Debian:
  New

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128

2022-05-19 Thread Andreas Hasenack
Submitted the cyrus-sasl2 fix to Debian via
https://salsa.debian.org/debian/cyrus-sasl2/-/merge_requests/11

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  In Progress
Status in cyrus-sasl2 package in Debian:
  New

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128

2022-05-18 Thread Andreas Hasenack
** Bug watch added: Debian Bug tracker #1011249
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011249

** Also affects: cyrus-sasl2 (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011249
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  In Progress
Status in cyrus-sasl2 package in Debian:
  Unknown

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128

2022-05-18 Thread Andreas Hasenack
Submitted python-bonsai DEP8 fixes to Debian via
https://salsa.debian.org/python-team/packages/python-
bonsai/-/merge_requests/1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic

2022-05-18 Thread Andreas Hasenack
It's currently blocked on this (real) bug, for which I'm testing a few
fixes already: https://bugs.launchpad.net/ubuntu/+source/python-
bonsai/+bug/1973756

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1971272

Title:
  Merge cyrus-sasl2 from Debian unstable for kinetic

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  Upstream: tbd
  Debian:   2.1.28+dfsg-4
  Ubuntu:   2.1.27+dfsg2-3ubuntu1


  Debian does new releases regularly, so it's likely there will be newer
  versions available before FF that we can pick up if this merge is done
  later in the cycle.

  
  ### New Debian Changes ###

  cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium

* d/copyright: java/* files were removed upstream
* d/copyright: Reformat the default license's margin
* d/copyright: Add project's license to include/makemd5.c
* Move SCRAM to libsasl2-modules (Closes: #977360)
* Install additional GS2 module for Heimdal
* Remove Roberto from the Uploaders
* Drop 0005-Fixes-in-library-mutexes.patch
* Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch
* Remove former logcheck conffile (Closes: #1009851)
* lintian: Fix excessive-priority-for-library-package
* lintian: Fix package-contains-empty-directory

   -- Bastian Germann   Wed, 20 Apr 2022 01:01:01 +0200

  cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high

* Set MIT/Heimdal CFLAGS instead of CPPFLAGS
* Drop unnecessary 0027-properly-create-libsasl2.pc.patch
* Prevent installing outdated ChangeLog (Closes: #1009681)
* Remove debug log message and its logcheck rule (Closes: #805310)
* Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380)
* Get rid of broken README.configure-options
* Add sasldbconverter2.8 manpage
* d/copyright: Add missing KTH license
* Install libsasl.5 manpage

[ Debian Janitor ]
* Remove constraints unnecessary since buster

   -- Bastian Germann   Fri, 15 Apr 2022 12:02:13 +0200

  cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium

* Remove cruft

   -- Bastian Germann   Fri, 25 Feb 2022 18:58:54 +0100

  cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium

* Drop upstream patches
* Import new release signing key
* Reset repacksuffix
* New upstream version 2.1.28+dfsg (CVE-2022-24407)
* Rebase 0027-properly-create-libsasl2.pc.patch

   -- Bastian Germann   Tue, 22 Feb 2022 23:40:47 +0100

  cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium

[ Andreas Hasenack ]
* Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152)

   -- Bastian Germann   Tue, 11 Jan 2022 11:25:37 +0100

  cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium

[ Helmut Grohne ]
* Fix FTCBFS: (Closes: #928512)
  + cross.patch: Support caching SPNEGO support test.
  + Provide SPNEGO support test result.

[ Vagrant Cascadian ]
* Set date in man pages (Closes: #995145)

   -- Bastian Germann   Wed, 17 Nov 2021 01:23:49 +0100

  cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium

* Add bage to uploaders (Closes: #799864)
* Use upstream patches where possible
* Amend off-by-one in _sasl_add_string function
* Replace some patches by upstream equivalents
* Apply the patches in order of to their prefixes
* Add missing caret (^) in logcheck rule (Closes: #830764)
* Remove unnecessary GPL copy
* Add missing copyright/licenses
* Repack, getting rid of more problematic files
* Build html documentation
* Make the package rebuildable
* Remove outdated README.Debian info
* Disable autostart via debhelper
* Drop unnecessary patch
* Remove alternative, old build dep libmysqlclient-dev
  Annotate documentation Build-Depends with :native

[ Frédéric Brière ]
* Make logcheck snippet compatible with systemd journal

   -- Bastian Germann   Sun, 14 Nov 2021 14:11:18 +0100

  cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium

* Non-maintainer upload.
* d/watch: Check the github releases page
* Get rid of a patch's patch
* Recover upstream-compatible patch license (Closes: #996866)
  + Relicense libobj patch
* Fix lintian: unused-override


  ### Old Ubuntu Delta ###

  cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium

* SECURITY UPDATE: SQL injection in SQL plugin
  - debian/patches/CVE-2022-24407.patch: escape password for SQL
insert/update commands in plugins/sql.c.
  - CVE-2022-24407

   -- Marc Deslauriers   Tue, 22 Feb 2022
  14:17:18 -0500

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help

[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128

2022-05-17 Thread Andreas Hasenack
https://github.com/cyrusimap/cyrus-sasl/pull/668

** Bug watch added: github.com/cyrusimap/cyrus-sasl/issues #665
   https://github.com/cyrusimap/cyrus-sasl/issues/665

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128

2022-05-17 Thread Andreas Hasenack
https://github.com/cyrusimap/cyrus-sasl/pull/653

https://github.com/cyrusimap/cyrus-sasl/issues/665

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128

2022-05-17 Thread Andreas Hasenack
Working theory at the moment is that cyrus-sasl2 is using RC4 from
OpenSSL, and OpenSSL3 deprecated it:

On Kinetic:
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

$ echo -ne test | openssl rc4 -k test 
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
Error setting cipher RC4
4057FE8C0B7F:error:0308010C:digital envelope 
routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global
 default library context, Algorithm (RC4 : 37), Properties ()
Salted__gG

On Impish:
$ openssl version
OpenSSL 1.1.1l  24 Aug 2021

$ echo -ne test | openssl rc4 -k test
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
Salted__~T�|=�ʇ


Jammy:
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
$ echo -ne "test" | openssl rc4 -k test
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
Error setting cipher RC4
40078BF4127F:error:0308010C:digital envelope 
routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global
 default library context, Algorithm (RC4 : 37), Properties ()
Salted__��N�x���


Both jammy and kinetic show "Error setting cipher RC4".

Oh, and the stack trace confirming it's inside openssl:
(gdb) bt

   
#0  0x774085cb in EVP_EncryptUpdate (ctx=0x0, 
out=out@entry=0x555c7cf4 
"0\036\002\001\004w\031\200\027\061.3.6.1.4.1.4203.1.11.3ST-MD5 client step 3", 

outl=outl@entry=0x7fffdbc4, in=0x555c8d50 
"0\036\002\001\004w\031\200\027\061.3.6.1.4.1.4203.1.11.311.311.3", inl=32) at 
../crypto/evp/evp_enc.c:614   
#1  0x770a07a9 in enc_rc4 (text=0x55585e00, input=, 
inputlen=, digest=0x7fffdc20 
"^\316@+\322}\a\334\006T\005\353:H}\036\260l\\UUU", 
output=0x555c7cf4 
"0\036\002\001\004w\031\200\027\061.3.6.1.4.1.4203.1.11.3ST-MD5 client step 3", 
outputlen=0x7fffdda4) at ../../plugins/digestmd5.c:1201 
 
#2  0x770a1ddb in digestmd5_encode (context=0x55585e00, 
invec=, numiov=, output=0x5559e708, 
outputlen=0x7fffdda4)
at ../../plugins/digestmd5.c:1552   

   
#3  0x77f33c3e in _sasl_encodev (conn=conn@entry=0x55586cf0, 
invec=invec@entry=0x7fffdd70, numiov=numiov@entry=1, 
p_num_packets=p_num_packets@entry=0x7fffdd0c,
output=output@entry=0x5559e708, 
outputlen=outputlen@entry=0x7fffdda4) at ../../lib/common.c:359 
   
#4  0x77f360a1 in sasl_encodev (conn=conn@entry=0x55586cf0, 
invec=invec@entry=0x7fffdd70, numiov=numiov@entry=1, 
output=output@entry=0x5559e708,   
outputlen=outputlen@entry=0x7fffdda4) at ../../lib/common.c:582 

   
#5  0x77f361d0 in sasl_encode (conn=0x55586cf0, input=, inputlen=, output=output@entry=0x5559e708, 
outputlen=outputlen@entry=0x7fffdda4) 
at ../../lib/common.c:304   

   
#6  0x77f665ba in sb_sasl_cyrus_encode (p=0x5559e680, 
buf=, len=, dst=0x5559e6f0) at 
../../../../libraries/libldap/cyrus.c:134   
#7  0x77f66b90 in sb_sasl_generic_write (sbiod=0x55585a30, 
buf=0x555c8d50, len=) at 
../../../../libraries/libldap/sasl.c:783
#8  0x77f4ad3c in sb_debug_write (sbiod=0x55586aa0, 
buf=0x555c8d50, len=32) at ../../../../libraries/liblber/sockbuf.c:854  
   
#9  0x77f50105 in ber_int_sb_write (sb=sb@entry=0x55585900, 
buf=0x555c8d50, len=len@entry=32) at 
../../../../libraries/liblber/sockbuf.c:445   
#10 0x77f5027b in ber_flush2 (sb=0x55585900, ber=0x555c7c90, 
freeit=freeit@entry=0) at ../../../../libraries/liblber/io.c:249
  
#11 0x77f7e0a7 in ldap_int_flush_request (ld=ld@entry=0x555834e0, 
lr=lr@entry=0x555c6cb0) at ../../../../libraries/libldap/request.c:186  
 
#12 0x77f8001f in ldap_send_server_request (ld=ld@entry=0x555834e0, 
ber=ber@entry=0x555c7c90, 

[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>0

2022-05-17 Thread Andreas Hasenack
It's also crashing in debian:
https://ci.debian.net/data/autopkgtest/unstable/amd64/p/python-
bonsai/21842977/log.gz

** Summary changed:

- Crash when using DIGEST-MD5 with SSF>0
+ Crash when using DIGEST-MD5 with SSF>=128

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1973760] [NEW] Crash when using DIGEST-MD5 with SSF>=128

2022-05-17 Thread Andreas Hasenack
Public bug reported:

I'm still troubleshooting this, but at the moment apps negotiating a
DIGEST-MD5 authentication and requesting some form of transport
encryption (ssf != 0) are crashing. The only example I have so far is
the openldap client tools (so just one app really).

ssf=0 works:
$ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
SASL/DIGEST-MD5 authentication started
SASL username: ubuntu@lxd
SASL SSF: 0
dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth


ssf=128 crashes:
$ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
SASL/DIGEST-MD5 authentication started
SASL username: ubuntu@lxd
SASL SSF: 128
SASL data security layer installed.
Segmentation fault (core dumped)

The crash seems to be inside openssl. I'll get a proper stack trace.

2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in
kinetic-proposed).

** Affects: cyrus-sasl2 (Ubuntu)
 Importance: High
 Assignee: Andreas Hasenack (ahasenack)
 Status: In Progress


** Tags: server-todo update-excuse update-excuses

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1973760

Title:
  Crash when using DIGEST-MD5 with SSF>=128

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  I'm still troubleshooting this, but at the moment apps negotiating a
  DIGEST-MD5 authentication and requesting some form of transport
  encryption (ssf != 0) are crashing. The only example I have so far is
  the openldap client tools (so just one app really).

  ssf=0 works:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=0
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 0
  dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth

  
  ssf=128 crashes:
  $ ldapwhoami  -U ubuntu@lxd -w ubuntusecret -O maxssf=128
  SASL/DIGEST-MD5 authentication started
  SASL username: ubuntu@lxd
  SASL SSF: 128
  SASL data security layer installed.
  Segmentation fault (core dumped)

  The crash seems to be inside openssl. I'll get a proper stack trace.

  2.1.27, also built with openssl3, does not crash. So far only 2.1.28
  (in kinetic-proposed).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1677781] Re: Missing dep8 tests

2022-05-16 Thread Andreas Hasenack
Sent new dep8 tests to debian, and then synced the package back into ubuntu:
https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-5

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1677781

Title:
  Missing dep8 tests

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256

  As of March 29, 2017, this source package did not contain dep8 tests in
  the current development release of Ubuntu, named Zesty. This was
  determined by running `pull-lp-source cyrus-sasl2 zesty` and then
  checking for the existence of 'debian/tests/' and
  'debian/tests/control'.

  Test automation is essential to higher levels of quality and confidence
  in updates to packages. dep8 tests [1] specify how automatic testing can
  be integrated into packages and then run by package maintainers before
  new uploads.

  This defect is to report the absence of these tests and to report the
  opportunity as a potential item for development by both new and
  experienced contributors.

  [1] http://packaging.ubuntu.com/html/auto-pkg-test.html

   affects ubuntu/cyrus-sasl2
   status new
   importance wishlist
   tag needs-dep8

  - ---
  Joshua Powers
  Ubuntu Server
  Canonical Ltd

  -BEGIN PGP SIGNATURE-

  iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj
  JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1
  3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR
  wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe
  4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY
  nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz
  iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5
  WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5
  Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort
  CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY
  ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G
  WY9JzBOc6MUi46Hh9ZN5
  =szTz
  -END PGP SIGNATURE-

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic

2022-05-16 Thread Andreas Hasenack
This became a sync, after debian accepted my DEP8 tests.

https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-5

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1971272

Title:
  Merge cyrus-sasl2 from Debian unstable for kinetic

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  Upstream: tbd
  Debian:   2.1.28+dfsg-4
  Ubuntu:   2.1.27+dfsg2-3ubuntu1


  Debian does new releases regularly, so it's likely there will be newer
  versions available before FF that we can pick up if this merge is done
  later in the cycle.

  
  ### New Debian Changes ###

  cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium

* d/copyright: java/* files were removed upstream
* d/copyright: Reformat the default license's margin
* d/copyright: Add project's license to include/makemd5.c
* Move SCRAM to libsasl2-modules (Closes: #977360)
* Install additional GS2 module for Heimdal
* Remove Roberto from the Uploaders
* Drop 0005-Fixes-in-library-mutexes.patch
* Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch
* Remove former logcheck conffile (Closes: #1009851)
* lintian: Fix excessive-priority-for-library-package
* lintian: Fix package-contains-empty-directory

   -- Bastian Germann   Wed, 20 Apr 2022 01:01:01 +0200

  cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high

* Set MIT/Heimdal CFLAGS instead of CPPFLAGS
* Drop unnecessary 0027-properly-create-libsasl2.pc.patch
* Prevent installing outdated ChangeLog (Closes: #1009681)
* Remove debug log message and its logcheck rule (Closes: #805310)
* Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380)
* Get rid of broken README.configure-options
* Add sasldbconverter2.8 manpage
* d/copyright: Add missing KTH license
* Install libsasl.5 manpage

[ Debian Janitor ]
* Remove constraints unnecessary since buster

   -- Bastian Germann   Fri, 15 Apr 2022 12:02:13 +0200

  cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium

* Remove cruft

   -- Bastian Germann   Fri, 25 Feb 2022 18:58:54 +0100

  cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium

* Drop upstream patches
* Import new release signing key
* Reset repacksuffix
* New upstream version 2.1.28+dfsg (CVE-2022-24407)
* Rebase 0027-properly-create-libsasl2.pc.patch

   -- Bastian Germann   Tue, 22 Feb 2022 23:40:47 +0100

  cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium

[ Andreas Hasenack ]
* Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152)

   -- Bastian Germann   Tue, 11 Jan 2022 11:25:37 +0100

  cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium

[ Helmut Grohne ]
* Fix FTCBFS: (Closes: #928512)
  + cross.patch: Support caching SPNEGO support test.
  + Provide SPNEGO support test result.

[ Vagrant Cascadian ]
* Set date in man pages (Closes: #995145)

   -- Bastian Germann   Wed, 17 Nov 2021 01:23:49 +0100

  cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium

* Add bage to uploaders (Closes: #799864)
* Use upstream patches where possible
* Amend off-by-one in _sasl_add_string function
* Replace some patches by upstream equivalents
* Apply the patches in order of to their prefixes
* Add missing caret (^) in logcheck rule (Closes: #830764)
* Remove unnecessary GPL copy
* Add missing copyright/licenses
* Repack, getting rid of more problematic files
* Build html documentation
* Make the package rebuildable
* Remove outdated README.Debian info
* Disable autostart via debhelper
* Drop unnecessary patch
* Remove alternative, old build dep libmysqlclient-dev
  Annotate documentation Build-Depends with :native

[ Frédéric Brière ]
* Make logcheck snippet compatible with systemd journal

   -- Bastian Germann   Sun, 14 Nov 2021 14:11:18 +0100

  cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium

* Non-maintainer upload.
* d/watch: Check the github releases page
* Get rid of a patch's patch
* Recover upstream-compatible patch license (Closes: #996866)
  + Relicense libobj patch
* Fix lintian: unused-override


  ### Old Ubuntu Delta ###

  cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium

* SECURITY UPDATE: SQL injection in SQL plugin
  - debian/patches/CVE-2022-24407.patch: escape password for SQL
insert/update commands in plugins/sql.c.
  - CVE-2022-24407

   -- Marc Deslauriers   Tue, 22 Feb 2022
  14:17:18 -0500

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net

[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"

2022-05-06 Thread Andreas Hasenack
** Changed in: cyrus-sasl2 (Ubuntu Jammy)
   Status: Triaged => In Progress

** Changed in: cyrus-sasl2 (Ubuntu Jammy)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/827151

Title:
  Annoying log message "DIGEST-MD5 common mech free"

Status in Cyrus-sasl2:
  Fix Released
Status in cyrus-sasl2 package in Ubuntu:
  Triaged
Status in cyrus-sasl2 source package in Trusty:
  Won't Fix
Status in cyrus-sasl2 source package in Xenial:
  Incomplete
Status in cyrus-sasl2 source package in Yakkety:
  Fix Released
Status in cyrus-sasl2 source package in Focal:
  Triaged
Status in cyrus-sasl2 source package in Impish:
  Triaged
Status in cyrus-sasl2 source package in Jammy:
  In Progress
Status in cyrus-sasl2 package in Debian:
  Fix Released

Bug description:
  I recently updated the libsasl2-modules to 
2.1.24~rc1.dfsg1+cvs2011-05-23-4ubuntu1 in oneiric.
  That triggered the bug also described in Debian here: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932

  The annoying message is logged in auth.log. In my case, it is associated with 
svnserve:
  svnserve: DIGEST-MD5 common mech free

  I'm not exactly sure what action triggers the message, but I can
  investigate more if required.

  $ lsb_release -rd
  Description:Ubuntu oneiric (development branch)
  Release:11.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1677781] Re: Missing dep8 tests

2022-05-06 Thread Andreas Hasenack
** Changed in: cyrus-sasl2 (Ubuntu)
   Status: Triaged => In Progress

** Changed in: cyrus-sasl2 (Ubuntu)
   Importance: Wishlist => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1677781

Title:
  Missing dep8 tests

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256

  As of March 29, 2017, this source package did not contain dep8 tests in
  the current development release of Ubuntu, named Zesty. This was
  determined by running `pull-lp-source cyrus-sasl2 zesty` and then
  checking for the existence of 'debian/tests/' and
  'debian/tests/control'.

  Test automation is essential to higher levels of quality and confidence
  in updates to packages. dep8 tests [1] specify how automatic testing can
  be integrated into packages and then run by package maintainers before
  new uploads.

  This defect is to report the absence of these tests and to report the
  opportunity as a potential item for development by both new and
  experienced contributors.

  [1] http://packaging.ubuntu.com/html/auto-pkg-test.html

   affects ubuntu/cyrus-sasl2
   status new
   importance wishlist
   tag needs-dep8

  - ---
  Joshua Powers
  Ubuntu Server
  Canonical Ltd

  -BEGIN PGP SIGNATURE-

  iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj
  JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1
  3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR
  wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe
  4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY
  nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz
  iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5
  WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5
  Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort
  CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY
  ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G
  WY9JzBOc6MUi46Hh9ZN5
  =szTz
  -END PGP SIGNATURE-

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic

2022-05-06 Thread Andreas Hasenack
** Changed in: cyrus-sasl2 (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1971272

Title:
  Merge cyrus-sasl2 from Debian unstable for kinetic

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  Upstream: tbd
  Debian:   2.1.28+dfsg-4
  Ubuntu:   2.1.27+dfsg2-3ubuntu1


  Debian does new releases regularly, so it's likely there will be newer
  versions available before FF that we can pick up if this merge is done
  later in the cycle.

  
  ### New Debian Changes ###

  cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium

* d/copyright: java/* files were removed upstream
* d/copyright: Reformat the default license's margin
* d/copyright: Add project's license to include/makemd5.c
* Move SCRAM to libsasl2-modules (Closes: #977360)
* Install additional GS2 module for Heimdal
* Remove Roberto from the Uploaders
* Drop 0005-Fixes-in-library-mutexes.patch
* Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch
* Remove former logcheck conffile (Closes: #1009851)
* lintian: Fix excessive-priority-for-library-package
* lintian: Fix package-contains-empty-directory

   -- Bastian Germann   Wed, 20 Apr 2022 01:01:01 +0200

  cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high

* Set MIT/Heimdal CFLAGS instead of CPPFLAGS
* Drop unnecessary 0027-properly-create-libsasl2.pc.patch
* Prevent installing outdated ChangeLog (Closes: #1009681)
* Remove debug log message and its logcheck rule (Closes: #805310)
* Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380)
* Get rid of broken README.configure-options
* Add sasldbconverter2.8 manpage
* d/copyright: Add missing KTH license
* Install libsasl.5 manpage

[ Debian Janitor ]
* Remove constraints unnecessary since buster

   -- Bastian Germann   Fri, 15 Apr 2022 12:02:13 +0200

  cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium

* Remove cruft

   -- Bastian Germann   Fri, 25 Feb 2022 18:58:54 +0100

  cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium

* Drop upstream patches
* Import new release signing key
* Reset repacksuffix
* New upstream version 2.1.28+dfsg (CVE-2022-24407)
* Rebase 0027-properly-create-libsasl2.pc.patch

   -- Bastian Germann   Tue, 22 Feb 2022 23:40:47 +0100

  cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium

    [ Andreas Hasenack ]
* Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152)

   -- Bastian Germann   Tue, 11 Jan 2022 11:25:37 +0100

  cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium

[ Helmut Grohne ]
* Fix FTCBFS: (Closes: #928512)
  + cross.patch: Support caching SPNEGO support test.
  + Provide SPNEGO support test result.

[ Vagrant Cascadian ]
* Set date in man pages (Closes: #995145)

   -- Bastian Germann   Wed, 17 Nov 2021 01:23:49 +0100

  cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium

* Add bage to uploaders (Closes: #799864)
* Use upstream patches where possible
* Amend off-by-one in _sasl_add_string function
* Replace some patches by upstream equivalents
* Apply the patches in order of to their prefixes
* Add missing caret (^) in logcheck rule (Closes: #830764)
* Remove unnecessary GPL copy
* Add missing copyright/licenses
* Repack, getting rid of more problematic files
* Build html documentation
* Make the package rebuildable
* Remove outdated README.Debian info
* Disable autostart via debhelper
* Drop unnecessary patch
* Remove alternative, old build dep libmysqlclient-dev
  Annotate documentation Build-Depends with :native

[ Frédéric Brière ]
* Make logcheck snippet compatible with systemd journal

   -- Bastian Germann   Sun, 14 Nov 2021 14:11:18 +0100

  cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium

* Non-maintainer upload.
* d/watch: Check the github releases page
* Get rid of a patch's patch
* Recover upstream-compatible patch license (Closes: #996866)
  + Relicense libobj patch
* Fix lintian: unused-override


  ### Old Ubuntu Delta ###

  cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium

* SECURITY UPDATE: SQL injection in SQL plugin
  - debian/patches/CVE-2022-24407.patch: escape password for SQL
insert/update commands in plugins/sql.c.
  - CVE-2022-24407

   -- Marc Deslauriers   Tue, 22 Feb 2022
  14:17:18 -0500

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1677781] Re: Missing dep8 tests

2022-05-06 Thread Andreas Hasenack
** Changed in: cyrus-sasl2 (Ubuntu)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1677781

Title:
  Missing dep8 tests

Status in cyrus-sasl2 package in Ubuntu:
  Triaged

Bug description:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256

  As of March 29, 2017, this source package did not contain dep8 tests in
  the current development release of Ubuntu, named Zesty. This was
  determined by running `pull-lp-source cyrus-sasl2 zesty` and then
  checking for the existence of 'debian/tests/' and
  'debian/tests/control'.

  Test automation is essential to higher levels of quality and confidence
  in updates to packages. dep8 tests [1] specify how automatic testing can
  be integrated into packages and then run by package maintainers before
  new uploads.

  This defect is to report the absence of these tests and to report the
  opportunity as a potential item for development by both new and
  experienced contributors.

  [1] http://packaging.ubuntu.com/html/auto-pkg-test.html

   affects ubuntu/cyrus-sasl2
   status new
   importance wishlist
   tag needs-dep8

  - ---
  Joshua Powers
  Ubuntu Server
  Canonical Ltd

  -BEGIN PGP SIGNATURE-

  iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj
  JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1
  3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR
  wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe
  4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY
  nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz
  iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5
  WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5
  Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort
  CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY
  ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G
  WY9JzBOc6MUi46Hh9ZN5
  =szTz
  -END PGP SIGNATURE-

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic

2022-05-06 Thread Andreas Hasenack
** Changed in: cyrus-sasl2 (Ubuntu)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1971272

Title:
  Merge cyrus-sasl2 from Debian unstable for kinetic

Status in cyrus-sasl2 package in Ubuntu:
  New

Bug description:
  Upstream: tbd
  Debian:   2.1.28+dfsg-4
  Ubuntu:   2.1.27+dfsg2-3ubuntu1


  Debian does new releases regularly, so it's likely there will be newer
  versions available before FF that we can pick up if this merge is done
  later in the cycle.

  
  ### New Debian Changes ###

  cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium

* d/copyright: java/* files were removed upstream
* d/copyright: Reformat the default license's margin
* d/copyright: Add project's license to include/makemd5.c
* Move SCRAM to libsasl2-modules (Closes: #977360)
* Install additional GS2 module for Heimdal
* Remove Roberto from the Uploaders
* Drop 0005-Fixes-in-library-mutexes.patch
* Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch
* Remove former logcheck conffile (Closes: #1009851)
* lintian: Fix excessive-priority-for-library-package
* lintian: Fix package-contains-empty-directory

   -- Bastian Germann   Wed, 20 Apr 2022 01:01:01 +0200

  cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high

* Set MIT/Heimdal CFLAGS instead of CPPFLAGS
* Drop unnecessary 0027-properly-create-libsasl2.pc.patch
* Prevent installing outdated ChangeLog (Closes: #1009681)
* Remove debug log message and its logcheck rule (Closes: #805310)
* Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380)
* Get rid of broken README.configure-options
* Add sasldbconverter2.8 manpage
* d/copyright: Add missing KTH license
* Install libsasl.5 manpage

[ Debian Janitor ]
* Remove constraints unnecessary since buster

   -- Bastian Germann   Fri, 15 Apr 2022 12:02:13 +0200

  cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium

* Remove cruft

   -- Bastian Germann   Fri, 25 Feb 2022 18:58:54 +0100

  cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium

* Drop upstream patches
* Import new release signing key
* Reset repacksuffix
* New upstream version 2.1.28+dfsg (CVE-2022-24407)
* Rebase 0027-properly-create-libsasl2.pc.patch

   -- Bastian Germann   Tue, 22 Feb 2022 23:40:47 +0100

  cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium

    [ Andreas Hasenack ]
* Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152)

   -- Bastian Germann   Tue, 11 Jan 2022 11:25:37 +0100

  cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium

[ Helmut Grohne ]
* Fix FTCBFS: (Closes: #928512)
  + cross.patch: Support caching SPNEGO support test.
  + Provide SPNEGO support test result.

[ Vagrant Cascadian ]
* Set date in man pages (Closes: #995145)

   -- Bastian Germann   Wed, 17 Nov 2021 01:23:49 +0100

  cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium

* Add bage to uploaders (Closes: #799864)
* Use upstream patches where possible
* Amend off-by-one in _sasl_add_string function
* Replace some patches by upstream equivalents
* Apply the patches in order of to their prefixes
* Add missing caret (^) in logcheck rule (Closes: #830764)
* Remove unnecessary GPL copy
* Add missing copyright/licenses
* Repack, getting rid of more problematic files
* Build html documentation
* Make the package rebuildable
* Remove outdated README.Debian info
* Disable autostart via debhelper
* Drop unnecessary patch
* Remove alternative, old build dep libmysqlclient-dev
  Annotate documentation Build-Depends with :native

[ Frédéric Brière ]
* Make logcheck snippet compatible with systemd journal

   -- Bastian Germann   Sun, 14 Nov 2021 14:11:18 +0100

  cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium

* Non-maintainer upload.
* d/watch: Check the github releases page
* Get rid of a patch's patch
* Recover upstream-compatible patch license (Closes: #996866)
  + Relicense libobj patch
* Fix lintian: unused-override


  ### Old Ubuntu Delta ###

  cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium

* SECURITY UPDATE: SQL injection in SQL plugin
  - debian/patches/CVE-2022-24407.patch: escape password for SQL
insert/update commands in plugins/sql.c.
  - CVE-2022-24407

   -- Marc Deslauriers   Tue, 22 Feb 2022
  14:17:18 -0500

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1953065] Re: 2.13.0 FTBFS

2022-05-05 Thread Andreas Hasenack
** Merge proposal unlinked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/ust/+git/ust/+merge/421513

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ust in Ubuntu.
https://bugs.launchpad.net/bugs/1953065

Title:
  2.13.0 FTBFS

Status in LTTng-UST:
  Unknown
Status in ust package in Ubuntu:
  Fix Released

Bug description:
  I tried to merge ust from debian into ubuntu, to fix a build-time
  dependency, but stumbled on an FTBFS with that version.

  I filed upstream bug at https://bugs.lttng.org/issues/1337

  It basically happens in some new test cases that were added in 2.13.0
  and crash when we build it using our default -Wl,-Bsymbolic-flags
  linker option, which we have been using for years in Ubuntu.

  Here is the testsuite log output:
  
 lttng-ust 2.14.0-pre: tests/test-suite.log
  

  # TOTAL: 246
  # PASS:  241
  # SKIP:  0
  # XFAIL: 0
  # FAIL:  4
  # XPASS: 0
  # ERROR: 1

  .. contents:: :depth: 2

  ERROR: regression/abi0-conflict/test_abi0_conflict
  ==

  1..22
  # LD_PRELOAD
  # regression/abi0-conflict/test_abi0_conflict: LD_PRELOAD
  ok 1 - LD_PRELOAD: no-ust app works
  PASS: regression/abi0-conflict/test_abi0_conflict 1 - LD_PRELOAD: no-ust app 
works
  ok 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds
  PASS: regression/abi0-conflict/test_abi0_conflict 2 - LD_PRELOAD: no-ust app 
with abi0 preload succeeds
  ./regression/abi0-conflict/test_abi0_conflict: line 56: 592651 Aborted
 (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" 
"${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 3 - LD_PRELOAD: no-ust app 
with abi0 and abi1 preload fails
  ./regression/abi0-conflict/test_abi0_conflict: line 59: 592652 Aborted
 (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" 
"${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 4 - LD_PRELOAD: no-ust app 
with abi1 and abi0 preload fails
  ok 5 - LD_PRELOAD: ust app works
  PASS: regression/abi0-conflict/test_abi0_conflict 5 - LD_PRELOAD: ust app 
works
  ./regression/abi0-conflict/test_abi0_conflict: line 68: 592669 Aborted
 (core dumped) LD_PRELOAD="${LIBFAKEUST0}" "${CURDIR}/app_ust" > 
"$STD_OUTPUT" 2> "$STD_ERROR"
  ok 6 - LD_PRELOAD: ust app with abi0 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 6 - LD_PRELOAD: ust app 
with abi0 preload fails
  ./regression/abi0-conflict/test_abi0_conflict: line 71: 592683 Aborted
 (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" 
"${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 7 - LD_PRELOAD: ust app 
with abi0 and abi1 preload fails
  ./regression/abi0-conflict/test_abi0_conflict: line 74: 592684 Aborted
 (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" 
"${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 8 - LD_PRELOAD: ust app 
with abi1 and abi0 preload fails
  # dlopen
  # regression/abi0-conflict/test_abi0_conflict: dlopen
  ok 9 - dlopen: no-ust app works
  PASS: regression/abi0-conflict/test_abi0_conflict 9 - dlopen: no-ust app works
  ok 10 - dlopen: no-ust app with abi1 and abi1 succeeds
  PASS: regression/abi0-conflict/test_abi0_conflict 10 - dlopen: no-ust app 
with abi1 and abi1 succeeds
  ./regression/abi0-conflict/test_abi0_conflict: line 92: 592689 Aborted
 (core dumped) LD_LIBRARY_PATH="$LIBFAKEUST0_PATH:$LIBUST1_PATH" 
"${CURDIR}/app_noust_dlopen" abi0_abi1 > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 11 - dlopen: no-ust app with abi0 and abi1 fails
  PASS: regression/abi0-conflict/test_abi0_conflict 11 - dlopen: no-ust app 
with abi0 and abi1 fails
  not ok 12 - dlopen: no-ust app with abi1 and abi0 fails
  FAIL: regression/abi0-conflict/test_abi0_conflict 12 - dlopen: no-ust app 
with abi1 and abi0 fails
  #   Failed test 'dlopen: no-ust app with abi1 and abi0 fails'
  # regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: no-ust 
app with abi1 and abi0 fails'
  #   in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at 
line 300.
  # regression/abi0-conflict/test_abi0_conflict: in 
/home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300.
  #  got: '0'
  # regression/abi0-conflict/test_abi0_conflict: got: '0'
  # expected: '0'
  # regression/abi0-conflict/test_abi0_conflict: expected: '0'
  ok 13 - dlopen: 

[Touch-packages] [Bug 1970979] Re: compiler flags leaking through krb5-config --libs

2022-05-02 Thread Andreas Hasenack
Post in the upstream mailing list, let's see if this spawns a
discussion:

https://mailman.mit.edu/pipermail/krbdev/2022-April/013543.html

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1970979

Title:
  compiler flags leaking through krb5-config --libs

Status in krb5 package in Ubuntu:
  New

Bug description:
  krb5-config --libs is leaking some compiler specific flags that we
  define in Ubuntu:

  $ krb5-config --libs 
  -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -flto=auto 
-ffat-lto-objects -flto=auto -Wl,-z,relro -lkrb5 -lk5crypto -lcom_err

  That ones that concern me more specifically are:
  - -Wl,-Bsymbolic-functions
  - -lto related ones

  I'm unsure if -Wl,-z,relro should be there either.

  It looks like LDFLAGS got mixed with LIBS. pkg-config's output is
  different and only contains the libraries and library path:

  $ pkg-config --libs krb5
  -L/usr/lib/x86_64-linux-gnu/mit-krb5 -lkrb5 -lk5crypto -lcom_err

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1970979/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1970979] [NEW] compiler flags leaking through krb5-config --libs

2022-04-29 Thread Andreas Hasenack
Public bug reported:

krb5-config --libs is leaking some compiler specific flags that we
define in Ubuntu:

$ krb5-config --libs 
-L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -flto=auto 
-ffat-lto-objects -flto=auto -Wl,-z,relro -lkrb5 -lk5crypto -lcom_err

That ones that concern me more specifically are:
- -Wl,-Bsymbolic-functions
- -lto related ones

I'm unsure if -Wl,-z,relro should be there either.

It looks like LDFLAGS got mixed with LIBS. pkg-config's output is
different and only contains the libraries and library path:

$ pkg-config --libs krb5
-L/usr/lib/x86_64-linux-gnu/mit-krb5 -lkrb5 -lk5crypto -lcom_err

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1970979

Title:
  compiler flags leaking through krb5-config --libs

Status in krb5 package in Ubuntu:
  New

Bug description:
  krb5-config --libs is leaking some compiler specific flags that we
  define in Ubuntu:

  $ krb5-config --libs 
  -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -flto=auto 
-ffat-lto-objects -flto=auto -Wl,-z,relro -lkrb5 -lk5crypto -lcom_err

  That ones that concern me more specifically are:
  - -Wl,-Bsymbolic-functions
  - -lto related ones

  I'm unsure if -Wl,-z,relro should be there either.

  It looks like LDFLAGS got mixed with LIBS. pkg-config's output is
  different and only contains the libraries and library path:

  $ pkg-config --libs krb5
  -L/usr/lib/x86_64-linux-gnu/mit-krb5 -lkrb5 -lk5crypto -lcom_err

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1970979/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1970634] Re: FTBFS: mariadb fails to start due to low MEMLOCK limit

2022-04-29 Thread Andreas Hasenack
> Could it be -flto/-ffat-lto-objects related (like 
> https://jira.mariadb.org/browse/MDEV-25633)? 
> The top part of the stack trace looks the same.

Nice catch. Indeed, disabling lto fixes the build and startup in low
memlock conditions.

I'm still concerned with lto creeping in via krb5-config[1], but that's
another issue.


1. https://lists.ubuntu.com/archives/ubuntu-devel/2022-April/042013.html

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1970634

Title:
  FTBFS: mariadb fails to start due to low MEMLOCK limit

Status in mariadb-10.6 package in Ubuntu:
  In Progress
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
   ahasenack: IIRC, originally Launchpad was FTBFSing on mariadb that 
included io_uring support because upstream were doing a build time test for 
io_uring (and I think still are), which is wrong because it should be done at 
runtime since the lack of io_uring availablity at build time doesn't tell us 
about its availablity at runtime.
   But then the Launchpad builders got updated to a newer release and 
therefore a newer kernel that supported it.
   AIUI, that's how we ended up with a successful build in the Jammy 
release pocket (of 10.6).
   I think the lp builders are using the focal hwe kernel
   5.4.0-something
   let me check that build log
   But then something changed that caused this current FTBFS, and I 
haven't tracked down what that is.
   hm, both are 10.6.7
   release and proposed
   What puzzles me is that if the root cause is a memlock rlimit issue 
then why did it work before?
   So since there's a contradiction somewhere, maybe one or more of my 
"facts" above is wrong.
   this is the current failure
   2022-04-14  8:11:49 0 [Warning] mariadbd: io_uring_queue_init() 
failed with ENOMEM: try larger memory locked limit, ulimit -l, or 
https://mariadb.com/kb/en/systemd/#configuring-limitmemlock under systemd 
(262144 bytes required)
   and ulimit -l confirms that the limit is lower
   Max locked memory 6553665536  
  bytes 
   just 64kbytes
   Yeah but then how did the release pocket build work?
   either the limit was different back then
   or ... stuff

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.6/+bug/1970634/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1970634] Re: FTBFS: mariadb fails to start due to low MEMLOCK limit

2022-04-28 Thread Andreas Hasenack
Since mariadb on the current jammy kernel disables io_uring at startup,
I'm considering disabling io_uring entirely in the jammy mariadb build.
The only scenario where io_uring would be used by the jammy mariadb is
if the user ran a different kernel than the one shipped with jammy.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1970634

Title:
  FTBFS: mariadb fails to start due to low MEMLOCK limit

Status in mariadb-10.6 package in Ubuntu:
  In Progress
Status in systemd package in Ubuntu:
  New

Bug description:
   ahasenack: IIRC, originally Launchpad was FTBFSing on mariadb that 
included io_uring support because upstream were doing a build time test for 
io_uring (and I think still are), which is wrong because it should be done at 
runtime since the lack of io_uring availablity at build time doesn't tell us 
about its availablity at runtime.
   But then the Launchpad builders got updated to a newer release and 
therefore a newer kernel that supported it.
   AIUI, that's how we ended up with a successful build in the Jammy 
release pocket (of 10.6).
   I think the lp builders are using the focal hwe kernel
   5.4.0-something
   let me check that build log
   But then something changed that caused this current FTBFS, and I 
haven't tracked down what that is.
   hm, both are 10.6.7
   release and proposed
   What puzzles me is that if the root cause is a memlock rlimit issue 
then why did it work before?
   So since there's a contradiction somewhere, maybe one or more of my 
"facts" above is wrong.
   this is the current failure
   2022-04-14  8:11:49 0 [Warning] mariadbd: io_uring_queue_init() 
failed with ENOMEM: try larger memory locked limit, ulimit -l, or 
https://mariadb.com/kb/en/systemd/#configuring-limitmemlock under systemd 
(262144 bytes required)
   and ulimit -l confirms that the limit is lower
   Max locked memory 6553665536  
  bytes 
   just 64kbytes
   Yeah but then how did the release pocket build work?
   either the limit was different back then
   or ... stuff

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.6/+bug/1970634/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1970634] Re: FTBFS: test failure due to low memlock limit

2022-04-28 Thread Andreas Hasenack
I added a task for systemd to consider raising the default
RLIMIT_MEMLOCK limit.

This upstream commit raises the default limit to 8Mb:

https://github.com/systemd/systemd/commit/852b62507b2

The way things are now, the following scenario does NOT work out of the
box:

- jammy lxd on focal host
- apt install mariadb-server

mariadb will crash and core dump because of the low MEMLOCK limit. Its
systemd service file even has this line to raise the limit:

LimitMEMLOCK=524288

But that does not have any effect from inside the unprivileged lxd
container.

Jammy lxd on jammy host will work just because the jammy kernel (5.15.0)
is deemed unsafe[1] for uring by mariadb, and then uring is disabled
during startup.


1. 
https://github.com/MariaDB/server/blob/10.6/storage/innobase/handler/ha_innodb.cc#L19480

** Summary changed:

- FTBFS: test failure due to low memlock limit
+ FTBFS: mariadb fails to start due to low MEMLOCK limit

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1970634

Title:
  FTBFS: mariadb fails to start due to low MEMLOCK limit

Status in mariadb-10.6 package in Ubuntu:
  In Progress
Status in systemd package in Ubuntu:
  New

Bug description:
   ahasenack: IIRC, originally Launchpad was FTBFSing on mariadb that 
included io_uring support because upstream were doing a build time test for 
io_uring (and I think still are), which is wrong because it should be done at 
runtime since the lack of io_uring availablity at build time doesn't tell us 
about its availablity at runtime.
   But then the Launchpad builders got updated to a newer release and 
therefore a newer kernel that supported it.
   AIUI, that's how we ended up with a successful build in the Jammy 
release pocket (of 10.6).
   I think the lp builders are using the focal hwe kernel
   5.4.0-something
   let me check that build log
   But then something changed that caused this current FTBFS, and I 
haven't tracked down what that is.
   hm, both are 10.6.7
   release and proposed
   What puzzles me is that if the root cause is a memlock rlimit issue 
then why did it work before?
   So since there's a contradiction somewhere, maybe one or more of my 
"facts" above is wrong.
   this is the current failure
   2022-04-14  8:11:49 0 [Warning] mariadbd: io_uring_queue_init() 
failed with ENOMEM: try larger memory locked limit, ulimit -l, or 
https://mariadb.com/kb/en/systemd/#configuring-limitmemlock under systemd 
(262144 bytes required)
   and ulimit -l confirms that the limit is lower
   Max locked memory 6553665536  
  bytes 
   just 64kbytes
   Yeah but then how did the release pocket build work?
   either the limit was different back then
   or ... stuff

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.6/+bug/1970634/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1970634] Re: FTBFS: test failure due to low memlock limit

2022-04-28 Thread Andreas Hasenack
** Also affects: systemd (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1970634

Title:
  FTBFS: test failure due to low memlock limit

Status in mariadb-10.6 package in Ubuntu:
  In Progress
Status in systemd package in Ubuntu:
  New

Bug description:
   ahasenack: IIRC, originally Launchpad was FTBFSing on mariadb that 
included io_uring support because upstream were doing a build time test for 
io_uring (and I think still are), which is wrong because it should be done at 
runtime since the lack of io_uring availablity at build time doesn't tell us 
about its availablity at runtime.
   But then the Launchpad builders got updated to a newer release and 
therefore a newer kernel that supported it.
   AIUI, that's how we ended up with a successful build in the Jammy 
release pocket (of 10.6).
   I think the lp builders are using the focal hwe kernel
   5.4.0-something
   let me check that build log
   But then something changed that caused this current FTBFS, and I 
haven't tracked down what that is.
   hm, both are 10.6.7
   release and proposed
   What puzzles me is that if the root cause is a memlock rlimit issue 
then why did it work before?
   So since there's a contradiction somewhere, maybe one or more of my 
"facts" above is wrong.
   this is the current failure
   2022-04-14  8:11:49 0 [Warning] mariadbd: io_uring_queue_init() 
failed with ENOMEM: try larger memory locked limit, ulimit -l, or 
https://mariadb.com/kb/en/systemd/#configuring-limitmemlock under systemd 
(262144 bytes required)
   and ulimit -l confirms that the limit is lower
   Max locked memory 6553665536  
  bytes 
   just 64kbytes
   Yeah but then how did the release pocket build work?
   either the limit was different back then
   or ... stuff

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.6/+bug/1970634/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1969676] [NEW] Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1

2022-04-20 Thread Andreas Hasenack
Public bug reported:

When provisioning a new realm, this warning is logged in
/var/log/syslog:

==> /var/log/syslog <== 

   
Apr 20 20:43:16 kdc systemd[1]: Starting Kerberos 5 Key Distribution Center...  

   
Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses 
DEPRECATED enctype des3-cbc-sha1!  

This comes from "master_key_type" in the default kdc.conf shipped in
krb5-kdc:

$ cat /usr/share/krb5-kdc/kdc.conf.template 
[kdcdefaults]
kdc_ports = 750,88

[realms]
@MYREALM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}

The kdc.conf manpage says that the current default is 
"aes256-cts-hmac-sha1-96". The sample
kdc.conf in the documentation at 
https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf 
suggests just "master_key_type = aes256-cts".

Changing encryption defaults should be done carefully, even when
suggested by upstream. I filed bugs.debian.org/1009927 in debian as
well.

** Affects: krb5 (Ubuntu)
 Importance: Medium
 Status: Triaged

** Affects: krb5 (Debian)
 Importance: Unknown
 Status: Unknown

** Changed in: krb5 (Ubuntu)
   Status: New => Triaged

** Changed in: krb5 (Ubuntu)
   Importance: Undecided => Medium

** Bug watch added: Debian Bug tracker #1009927
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927

** Also affects: krb5 (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1969676

Title:
  Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1

Status in krb5 package in Ubuntu:
  Triaged
Status in krb5 package in Debian:
  Unknown

Bug description:
  When provisioning a new realm, this warning is logged in
  /var/log/syslog:

  ==> /var/log/syslog <==   

 
  Apr 20 20:43:16 kdc systemd[1]: Starting Kerberos 5 Key Distribution 
Center...   
  
  Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses 
DEPRECATED enctype des3-cbc-sha1!  

  This comes from "master_key_type" in the default kdc.conf shipped in
  krb5-kdc:

  $ cat /usr/share/krb5-kdc/kdc.conf.template 
  [kdcdefaults]
  kdc_ports = 750,88

  [realms]
  @MYREALM = {
  database_name = /var/lib/krb5kdc/principal
  admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
  acl_file = /etc/krb5kdc/kadm5.acl
  key_stash_file = /etc/krb5kdc/stash
  kdc_ports = 750,88
  max_life = 10h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  master_key_type = des3-hmac-sha1
  #supported_enctypes = aes256-cts:normal aes128-cts:normal
  default_principal_flags = +preauth
  }

  The kdc.conf manpage says that the current default is 
"aes256-cts-hmac-sha1-96". The sample
  kdc.conf in the documentation at 
https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf 
suggests just "master_key_type = aes256-cts".

  Changing encryption defaults should be done carefully, even when
  suggested by upstream. I filed bugs.debian.org/1009927 in debian as
  well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1969676/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1774788] Re: Daemon won't start at boot up (18LTS fully patched)

2022-03-30 Thread Andreas Hasenack
This is a class[1] of bugs for which we cannot come up with a general
solution that will safely and sanely apply to all scenarios. For such
cases, local configuration changes should be made to accommodate the
intended behavior in each case.

We believe that, in this particular case, since the configuration was
explicitly changed to use a specific IP, you should continue with the
changes and adjust the systemd unit file for rsync to cope with that. Be
it adjust the target to be network-online, or something else that
explicitly waits for that very interface to come up. systemd offers
mechanisms for such overrides, and it's described in more detail in
comment #2.

Regarding the "systemctl start rsync" exit status, it's the way it work
with Type=simple systemd services. From the systemd.service manpage:

"""
If set to simple (the default if ExecStart= is specified but neither Type= nor 
BusName= are) the service manager will consider the unit started immediately 
after the main service process has been forked off. (...)
Note that this means systemctl start command lines for simple services will 
report success even if the service's binary cannot be invoked successfully
"""

I tried Type=exec, but it still behaved in the same way (as the error
happens after rsync starts up, i.e., the binary was executed).

With Type=forking I got a bit further, but the timeout needs tuning:

root@j1-rsyncd:~# time systemctl start rsync
Job for rsync.service failed because a timeout was exceeded.
See "systemctl status rsync.service" and "journalctl -xeu rsync.service" for 
details.

real1m30.246s


With TimeoutStartSec=5 in the unit file it's better:

root@j1-rsyncd:~# time systemctl start rsync
Job for rsync.service failed because a timeout was exceeded.
See "systemctl status rsync.service" and "journalctl -xeu rsync.service" for 
details.

real0m5.287s


I think the most reliably way would be Type=notify, but that requires rsync 
code changes to support systemd's notify mechanism.

In summary, for the specific case of this bug, we believe that systemd
overrides are the best answer for now. To detect startup errors
immediately, I'm willing to file a separate bug.


1. https://bugs.launchpad.net/ubuntu/+bugs?field.tag=network-online-ordering

** Changed in: rsync (Ubuntu)
   Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
https://bugs.launchpad.net/bugs/1774788

Title:
  Daemon won't start at boot up   (18LTS fully patched)

Status in rsync:
  Unknown
Status in rsync package in Ubuntu:
  Won't Fix

Bug description:
  By adding the 'address=' option to the /etc/rsyncd.conf file, the
  daemon fails at boot.

  Once the NIC(s) is/are up, it will start fine when executed via
  systemctl start rsync

  
  ● rsync.service - fast remote file copy program daemon
 Loaded: loaded (/lib/systemd/system/rsync.service; enabled; vendor preset: 
enabled)
 Active: failed (Result: exit-code) since Sat 2018-06-02 08:01:31 CST; 
52min ago
Process: 851 ExecStart=/usr/bin/rsync --daemon --no-detach (code=exited, 
status=10)
   Main PID: 851 (code=exited, status=10)

  Jun 02 08:01:31 billlaptop.private.ycc systemd[1]: Started fast remote file 
copy program daemon.
  Jun 02 08:01:31 billlaptop.private.ycc rsyncd[851]: rsyncd version 3.1.2 
starting, listening on port 873
  Jun 02 08:01:31 billlaptop.private.ycc rsyncd[851]: bind() failed: Cannot 
assign requested address (address-family 2)
  Jun 02 08:01:31 billlaptop.private.ycc systemd[1]: rsync.service: Main 
process exited, code=exited, status=10/n/a
  Jun 02 08:01:31 billlaptop.private.ycc rsyncd[851]: unable to bind any 
inbound sockets on port 873
  Jun 02 08:01:31 billlaptop.private.ycc systemd[1]: rsync.service: Failed with 
result 'exit-code'.
  Jun 02 08:01:31 billlaptop.private.ycc rsyncd[851]: rsync error: error in 
socket IO (code 10) at socket.c(555) [Receiver=3.1.2]

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: rsync 3.1.2-2.1ubuntu1
  ProcVersionSignature: Ubuntu 4.15.0-22.24-generic 4.15.17
  Uname: Linux 4.15.0-22-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.1
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Sat Jun  2 08:48:15 2018
  InstallationDate: Installed on 2018-06-01 (0 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  SourcePackage: rsync
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/rsync/+bug/1774788/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1961981] [NEW] Current delta applied twice, not needed

2022-02-23 Thread Andreas Hasenack
Public bug reported:

audit has this ubuntu delta:
  * Merge with Debian unstable. Remaining changes:
- debian/rules: Disable auditd network listener, with --disable-listener,
  to reduce the risk of a remote attack on auditd, which runs as root

Turns out this was adopted in debian since 1:2.8.5-1:

  * debian/rules: On Ubuntu and derivatives, disable auditd network listener
with --disable-listener

Debian's change is:
# Merge the last remaining Ubuntu specific change in Debian:
# Disable auditd network listener to reduce the risk of a remote attack on
# auditd, which runs as root
ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes), yes)
  CONFIGURE_FLAGS += --disable-listener
endif


and ours is to add --disable-listener explicitly. d/rules ends up being:
dh_auto_configure -- \
--sbindir=/sbin \
--libdir=/lib/${DEB_HOST_MULTIARCH} \
--enable-shared=audit \
--enable-gssapi-krb5 \
--disable-listener \
--with-apparmor \
--with-libwrap \
--with-libcap-ng \
$(CONFIGURE_FLAGS) \
--with-arm --with-aarch64 ${EXTRA_ARCH_TABLE}

CONFIGURE_FLAGS gets --disable-listener on ubuntu, and we add it again.

The delta can be dropped. Then it's just a matter of checking the other
debian changes and, if deemed appropriate, sync the package.

** Affects: audit (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1961981

Title:
  Current delta applied twice, not needed

Status in audit package in Ubuntu:
  New

Bug description:
  audit has this ubuntu delta:
* Merge with Debian unstable. Remaining changes:
  - debian/rules: Disable auditd network listener, with --disable-listener,
to reduce the risk of a remote attack on auditd, which runs as root

  Turns out this was adopted in debian since 1:2.8.5-1:

* debian/rules: On Ubuntu and derivatives, disable auditd network listener
  with --disable-listener

  Debian's change is:
  # Merge the last remaining Ubuntu specific change in Debian:
  # Disable auditd network listener to reduce the risk of a remote attack on
  # auditd, which runs as root
  ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes), yes)
CONFIGURE_FLAGS += --disable-listener
  endif

  
  and ours is to add --disable-listener explicitly. d/rules ends up being:
  dh_auto_configure -- \
  --sbindir=/sbin \
  --libdir=/lib/${DEB_HOST_MULTIARCH} \
  --enable-shared=audit \
  --enable-gssapi-krb5 \
  --disable-listener \
  --with-apparmor \
  --with-libwrap \
  --with-libcap-ng \
  $(CONFIGURE_FLAGS) \
  --with-arm --with-aarch64 ${EXTRA_ARCH_TABLE}

  CONFIGURE_FLAGS gets --disable-listener on ubuntu, and we add it
  again.

  The delta can be dropped. Then it's just a matter of checking the
  other debian changes and, if deemed appropriate, sync the package.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1961981/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1959054] Re: debhelper restarts services marked --no-restart-on-upgrade

2022-02-20 Thread Andreas Hasenack
It worked

ii  debconf1.5.79ubuntu1 all  Debian configuration
management system


root@j-slapd-reconfigure:~# pidof slapd
105004
root@j-slapd-reconfigure:~# dpkg-reconfigure -fnoninteractive -pcritical slapd
  Backing up /etc/ldap/slapd.d in 
/var/backups/slapd-2.5.11+dfsg-1~exp1ubuntu3... done.
  Moving old database directory to /var/backups:
  - directory unknown... done.
  Creating initial configuration... done.
  Creating LDAP directory... done.

root@j-slapd-reconfigure:~# pidof slapd
105415
root@j-slapd-reconfigure:~#

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to debconf in Ubuntu.
https://bugs.launchpad.net/bugs/1959054

Title:
  debhelper restarts services marked --no-restart-on-upgrade

Status in debconf package in Ubuntu:
  New
Status in debhelper package in Ubuntu:
  Fix Released
Status in docker.io package in Ubuntu:
  Fix Released
Status in libvirt package in Ubuntu:
  Fix Committed
Status in debconf source package in Jammy:
  New
Status in debhelper source package in Jammy:
  Fix Released
Status in docker.io source package in Jammy:
  Fix Released
Status in libvirt source package in Jammy:
  Fix Committed
Status in debconf package in Debian:
  New
Status in debhelper package in Debian:
  New

Bug description:
  Debian bug #994204 (https://bugs.debian.org/cgi-
  bin/bugreport.cgi?bug=994204) describes a flaw in debhelper that
  results in the postinst being generated in such a fashion that
  services marked --no-stop-on-upgrade (or its deprecated alias --no-
  restart-on-upgrade), restart anyway.

  Please note: this is nothing to do with the --no-restart-after-upgrade
  flag (which is, somewhat confusingly IMO, unrelated).

  I've confirmed that the flaw appears to be present in the jammy
  version of debhelper (though not impish) and that packages generated
  with it appear to contain the flawed postinst (I first encountered
  this whilst working on the open-iscsi merge), though I haven't yet
  managed to test that the flaw exhibits itself on upgrade (though I'd
  say from the presence of the flaw in the postinst, that it's a
  reasonable inference that it will).

  In dbus (the merge of which I'm currently working on), Debian has
  worked around this but given I've now run into two affected packages
  (open-iscsi and dbus), only one of which has a work-around, I'd much
  rather we got debhelper fixed up and rebuilt affected packages?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/1959054/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1959054] Re: debhelper restarts services marked --no-restart-on-upgrade

2022-02-20 Thread Andreas Hasenack
Gladly!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to debconf in Ubuntu.
https://bugs.launchpad.net/bugs/1959054

Title:
  debhelper restarts services marked --no-restart-on-upgrade

Status in debconf package in Ubuntu:
  New
Status in debhelper package in Ubuntu:
  Fix Released
Status in docker.io package in Ubuntu:
  Fix Released
Status in libvirt package in Ubuntu:
  Fix Committed
Status in debconf source package in Jammy:
  New
Status in debhelper source package in Jammy:
  Fix Released
Status in docker.io source package in Jammy:
  Fix Released
Status in libvirt source package in Jammy:
  Fix Committed
Status in debconf package in Debian:
  New
Status in debhelper package in Debian:
  New

Bug description:
  Debian bug #994204 (https://bugs.debian.org/cgi-
  bin/bugreport.cgi?bug=994204) describes a flaw in debhelper that
  results in the postinst being generated in such a fashion that
  services marked --no-stop-on-upgrade (or its deprecated alias --no-
  restart-on-upgrade), restart anyway.

  Please note: this is nothing to do with the --no-restart-after-upgrade
  flag (which is, somewhat confusingly IMO, unrelated).

  I've confirmed that the flaw appears to be present in the jammy
  version of debhelper (though not impish) and that packages generated
  with it appear to contain the flawed postinst (I first encountered
  this whilst working on the open-iscsi merge), though I haven't yet
  managed to test that the flaw exhibits itself on upgrade (though I'd
  say from the presence of the flaw in the postinst, that it's a
  reasonable inference that it will).

  In dbus (the merge of which I'm currently working on), Debian has
  worked around this but given I've now run into two affected packages
  (open-iscsi and dbus), only one of which has a work-around, I'd much
  rather we got debhelper fixed up and rebuilt affected packages?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/1959054/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1528921] Re: rsync hangs on select(5, [], [4], [], {60, 0}

2022-02-08 Thread Andreas Hasenack
** Changed in: rsync (Ubuntu Bionic)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
https://bugs.launchpad.net/bugs/1528921

Title:
  rsync hangs on select(5, [], [4], [], {60, 0}

Status in rsync:
  Unknown
Status in rsync package in Ubuntu:
  Confirmed
Status in rsync source package in Bionic:
  In Progress
Status in rsync source package in Focal:
  In Progress

Bug description:
  [Impact]

  What the user suffering from this bug experiences is that the big
  amount of informative messages related to the copy process with the
  three spawned processes(sender, receiver and generator)  exhaust the
  I/O buffer and the sync gets stuck, either because there are too many
  files to synchronise and/or because too many detail messages (levels
  of verbose mode) have been requested in the output.

  The fix, that comes from upstream and is applied there since version
  3.2.0., increments the size of the receiver's I/O buffer.

  [Test Plan]
  This test plan is for Focal, but it's the same for Bionic.

  0.Preparing the test environment:

  #Preparing the container
  lxc launch images:ubuntu/focal rsync-iobuffer-focal
  lxc shell rsync-iobuffer-focal
  apt update -y
  apt upgrade -y

  #Installing necessary tools
  apt install rsync

  #Get test cases from comments #16 and #19 on this LP bug: As test case
  #16 covers both aspects (a lot of files and upper verbosity) and test
  #19 uses a huge tarball (120 Mb), I'm removing from this SRU the #19
  scenario  (but, please, feel to reach me it if you consider it
  necessary and I'll provide the steps and bad/good scenarios).

  cd /tmp/

  #16
  Paste the contents of https://pastebin.com/raw/ctzJJGwt:

  #!/bin/bash
  mkdir source_dir
  pushd source_dir
  dd if=/dev/zero of=source bs=600K count=1

  for i in `seq 1 11500`;
  do
  cp -v source file_$i;
  done

  rm source

  for i in `seq 1 10`;
  do
   dd if=/dev/zero of=file_large_$i bs=200M count=1
  done

  popd

  echo "Created 11500 files with size 600K and 10 files with size 200M, try the 
following command:"
  echo "rsync -avvvz --delete source_dir target_dir"

  in a new file script_comment16.sh

  chmod +x script_comment16.sh
  ./script_comment16.sh

  1. Bad cases (without and with using strace):

  # Scenario from comment 16
  $ rsync -avvvz --delete source_dir target_dir
  sending incremental file list
  [sender] make_file(source_dir,*,0)
  send_file_list done
  [sender] pushing local filters for /root/source_dir/
  [sender] make_file(source_dir/file_3048,*,2)
  [sender] make_file(source_dir/file_11358,*,2)
  [sender] make_file(source_dir/file_5914,*,2)
  [sender] make_file(source_dir/file_5880,*,2)
  [sender] make_file(source_dir/file_9318,*,2)
  [sender] make_file(source_dir/file_5539,*,2)
  [...]
  sending file_sum
  false_alarms=0 hash_hits=0 matches=0
  sender finished source_dir/file_10807
  send_files(903, source_dir/file_10808)
  send_files mapped source_dir/file_10808 of size 614400
  calling match_sums source_dir/file_10808
  source_dir/file_10808

  It hangs here, where using strace we can see:

  $ strace rsync -avvvz --delete source_dir target_dir
  source_dir/file_11280
  read(3, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 262144) 
= 262144
  read(3, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 262144) 
= 262144
  read(3, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 90112) = 
90112
  select(6, [5], [4], [5], {tv_sec=60, tv_usec=0}) = 1 (in [5], left 
{tv_sec=59, tv_usec=96})
  read(5, 
"\0\0\0\0\0\0\0\1\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\0\0\0"..., 
1900) = 1900
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout)
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout)
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}

  1. Good cases:

  # Scenario from comment 16

  $ rsync -avvvz --delete source_dir target_dir
  sending incremental file list
  [sender] make_file(source_dir,*,0)
  send_file_list done
  [sender] pushing local filters for /tmp/source_dir/
  [sender] make_file(source_dir/file_3052,*,2)
  [sender] make_file(source_dir/file_1766,*,2)
  [sender] make_file(source_dir/file_10466,*,2)
  [sender] make_file(source_dir/file_9375,*,2)
  [sender] make_file(source_dir/file_7260,*,2)
  [sender] make_file(source_dir/file_5554,*,2)
  [sender] make_file(source_dir/file_5523,*,2)
  [sender] make_file(source_dir/file_1685,*,2)
  [sender] make_file(source_dir/file_7217,*,2)
  [sender] make_file(source_dir/file_10411,*,2)
  [...]
  generate_files finished

  sent 9,555,678 bytes  received 3,599,560 bytes  124,694.20 bytes/sec
  total size is 9,162,752,000  speedup is 696.51

  [Where problems could occur]

  Perhaps the buffer size may not be sufficient for an operation
  involving a very huge amount of data, as reported upstream here (
  

[Touch-packages] [Bug 1528921] Re: rsync hangs on select(5, [], [4], [], {60, 0}

2022-02-08 Thread Andreas Hasenack
** Merge proposal linked:
   
https://code.launchpad.net/~mirespace/ubuntu/+source/rsync/+git/rsync/+merge/415244

** Changed in: rsync (Ubuntu Focal)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
https://bugs.launchpad.net/bugs/1528921

Title:
  rsync hangs on select(5, [], [4], [], {60, 0}

Status in rsync:
  Unknown
Status in rsync package in Ubuntu:
  Confirmed
Status in rsync source package in Bionic:
  New
Status in rsync source package in Focal:
  In Progress

Bug description:
  [Impact]

  What the user suffering from this bug experiences is that the big
  amount of informative messages related to the copy process with the
  three spawned processes(sender, receiver and generator)  exhaust the
  I/O buffer and the sync gets stuck, either because there are too many
  files to synchronise and/or because too many detail messages (levels
  of verbose mode) have been requested in the output.

  The fix, that comes from upstream and is applied there since version
  3.2.0., increments the size of the receiver's I/O buffer.

  
  [Test Plan]
  This test plan is for Focal, but it's the same for Bionic.

  0.Preparing the test environment:

  #Preparing the container
  lxc launch images:ubuntu/focal rsync-iobuffer-focal
  lxc shell rsync-iobuffer-focal
  apt update -y
  apt upgrade -y

  #Installing necessary tools
  apt install rsync 
  apt install wget

  #Get test cases from comments #16 and #19 on this LP bug

  cd /tmp/

  #19
  wget 
https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1528921/+attachment/5211950/+files/html2.tgz
  tar -xvzf /tmp/html2.tgz
  mkdir /tmp/rsynctest

  #16 
  Paste the contents of https://pastebin.com/raw/ctzJJGwt:

  #!/bin/bash
  mkdir source_dir
  pushd source_dir
  dd if=/dev/zero of=source bs=600K count=1

  for i in `seq 1 11500`;
  do
  cp -v source file_$i;
  done

  rm source

  for i in `seq 1 10`;
  do
   dd if=/dev/zero of=file_large_$i bs=200M count=1
  done

  popd

  echo "Created 11500 files with size 600K and 10 files with size 200M, try the 
following command:"
  echo "rsync -avvvz --delete source_dir target_dir"

  in a new file script_comment16.sh
   
  chmod +x script_comment16.sh 
  ./script_comment16.sh

  
  1. Bad cases (without and with using strace):

  # Scenario from comment 19 
  $ rsync --debug=all -avz /tmp/html2 /tmp/rsynctest/
  (Client) Protocol versions: remote=31, negotiated=31
  sending incremental file list
  [sender] change_dir(/tmp)
  send_files starting
  server_recv(2) starting pid=49029
  get_local_name count=7070 /tmp/rsynctest/
  created directory /tmp/rsynctest
  [Receiver] change_dir(/tmp/rsynctest)
  generator starting pid=49029
  delta-transmission disabled for local transfer or --whole-file
  recv_generator(html2,1)
  recv_generator(html2,2)
  set uid of html2 from 0 to 1000
  set gid of html2 from 0 to 1000
  set modtime of html2 to (1447205118) Wed Nov 11 01:25:18 2015
  [...]
  sender finished /tmp/html2/annotator__raw_8h__incl.md5
  send_files(282, /tmp/html2/annotator__raw_8h__incl.png)
  html2/annotator__raw_8h__incl.png

  It hangs here, where using strace we can see:

  $ strace rsync --debug=all -avz /tmp/html2 /tmp/rsynctest/
  [...]
  read(3, 
"\211PNG\r\n\32\n\0\0\0\rIHDR\0\0\v\4\0\0\2\233\10\6\0\0\0\361\177\254"..., 
262144) = 262144
  select(6, [5], [4], [5], {tv_sec=60, tv_usec=0}) = 2 (in [5], out [4], left 
{tv_sec=59, tv_usec=98})
  read(5, 
"\0\0\0\0\0\0\0\1\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\0\0\0"..., 95) 
= 95
  write(4, 
"K\374\0\7\177\377\207\343\335\345+{W\335{K\371y\211w`Ysl\336B{\312\340}\320\301"...,
 64591) = 64591
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 1 (out [4], left {tv_sec=59, 
tv_usec=98})
  write(4, 
"\336\322\0\7\177\377\255\371\367\215v\321-\224\323+\363\261\243\7\211Do\230\256\257O\372\367:\357O"...,
 53986) = 53986
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout)
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout)
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout)
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout)
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout)
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout)
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout)
  select(5, [], [4], [], {tv_sec=60, tv_usec=0}

  
  # Scenario from comment 16
  $ rsync -avvvz --delete source_dir target_dir
  sending incremental file list
  [sender] make_file(source_dir,*,0)
  send_file_list done
  [sender] pushing local filters for /root/source_dir/
  [sender] make_file(source_dir/file_3048,*,2)
  [sender] make_file(source_dir/file_11358,*,2)
  [sender] make_file(source_dir/file_5914,*,2)
  [sender] make_file(source_dir/file_5880,*,2)
  [sender] make_file(source_dir/file_9318,*,2)
  [sender] make_file(source_dir/file_5539,*,2)
  [...]
  sending file_sum
 

Re: [Touch-packages] [Bug 1959101] Re: sync/merge krb5

2022-02-02 Thread Andreas Hasenack
I did, and it asked me to wait for the sync to be complete before closing
the bug, this time I obeyed ;)

On Wed, Feb 2, 2022, 20:16 Sergio Durigan Junior <1959...@bugs.launchpad.net>
wrote:

> On Wednesday, February 02 2022, Andreas Hasenack wrote:
>
> > Sync requested, I'll wait for the package to migrate before closing the
> > bug.
>
> You can also invoke "syncpackage" using the "--bug" option, FWIW.
>
> --
> Sergio
> GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1959101
>
> Title:
>   sync/merge krb5
>
> Status in krb5 package in Ubuntu:
>   In Progress
>
> Bug description:
>   We went ahead of debian because of openssl3:
>   krb5 (1.19.2-0ubuntu1) jammy; urgency=medium
>
> [ Sam Hartman ]
> * New Upstream version
> * Depend on tex-gyre, Closes: #997407
>
> [Simon Chopin]
> * d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch:
>   Cherry-picked from upstream master to fix OpenSSL3 build.
>   Closes: #995152, LP: #1945795
>
>-- Simon Chopin   Tue, 30 Nov 2021
>   10:54:17 +0100
>
>   Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1:
>   krb5 (1.19.2-1) experimental; urgency=medium
>
> * New Upstream version
> * Include patch to work with OpenSSL 3.0, Closes: #995152
> * Depend on tex-gyre, Closes: #997407
>
>-- Sam Hartman   Wed, 27 Oct 2021 14:04:42 -0600
>
>   Since we are already at 1.19.2, we might as well merge/sync with
>   experimental.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions
>
> Launchpad-Notification-Type: bug
> Launchpad-Bug: distribution=ubuntu; sourcepackage=krb5; component=main;
> milestone=ubuntu-22.02; status=In Progress; importance=Undecided; assignee=
> andr...@canonical.com;
> Launchpad-Bug-Tags: needs-merge
> Launchpad-Bug-Information-Type: Public
> Launchpad-Bug-Private: no
> Launchpad-Bug-Security-Vulnerability: no
> Launchpad-Bug-Commenters: ahasenack sergiodj
> Launchpad-Bug-Reporter: Andreas Hasenack (ahasenack)
> Launchpad-Bug-Modifier: Sergio Durigan Junior (sergiodj)
> Launchpad-Message-Rationale: Subscriber
> Launchpad-Message-For: ahasenack
>
>

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1959101

Title:
  sync/merge krb5

Status in krb5 package in Ubuntu:
  In Progress

Bug description:
  We went ahead of debian because of openssl3:
  krb5 (1.19.2-0ubuntu1) jammy; urgency=medium

[ Sam Hartman ]
* New Upstream version
* Depend on tex-gyre, Closes: #997407

[Simon Chopin]
* d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch:
  Cherry-picked from upstream master to fix OpenSSL3 build.
  Closes: #995152, LP: #1945795

   -- Simon Chopin   Tue, 30 Nov 2021
  10:54:17 +0100

  Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1:
  krb5 (1.19.2-1) experimental; urgency=medium

* New Upstream version
* Include patch to work with OpenSSL 3.0, Closes: #995152
* Depend on tex-gyre, Closes: #997407
  
   -- Sam Hartman   Wed, 27 Oct 2021 14:04:42 -0600

  Since we are already at 1.19.2, we might as well merge/sync with
  experimental.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1959101] Re: sync/merge krb5

2022-02-02 Thread Andreas Hasenack
Sync requested, I'll wait for the package to migrate before closing the
bug.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1959101

Title:
  sync/merge krb5

Status in krb5 package in Ubuntu:
  In Progress

Bug description:
  We went ahead of debian because of openssl3:
  krb5 (1.19.2-0ubuntu1) jammy; urgency=medium

[ Sam Hartman ]
* New Upstream version
* Depend on tex-gyre, Closes: #997407

[Simon Chopin]
* d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch:
  Cherry-picked from upstream master to fix OpenSSL3 build.
  Closes: #995152, LP: #1945795

   -- Simon Chopin   Tue, 30 Nov 2021
  10:54:17 +0100

  Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1:
  krb5 (1.19.2-1) experimental; urgency=medium

* New Upstream version
* Include patch to work with OpenSSL 3.0, Closes: #995152
* Depend on tex-gyre, Closes: #997407
  
   -- Sam Hartman   Wed, 27 Oct 2021 14:04:42 -0600

  Since we are already at 1.19.2, we might as well merge/sync with
  experimental.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1959101] Re: sync/merge krb5

2022-02-02 Thread Andreas Hasenack
This can indeed be a sync, the only change wrt ubuntu is the openssl3
patch was renamed:

--- krb5-1.19.2-ubuntu/debian/patches/series2021-11-30 06:54:14.0 
-0300
+++ krb5-1.19.2-debian/debian/patches/series2021-10-27 17:04:42.0 
-0300
@@ -8,4 +8,4 @@
 debian-local/0008-Use-isystem-for-include-paths.patch
 0009-Add-.gitignore.patch
 0011-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
-0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch
+0011-Fix-softpkcs11-build-issues-with-openssl-3.0.patch

Contents are "the same":
$ diff -u 
krb5-1.19.2-ubuntu/debian/patches/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch
 
krb5-1.19.2-debian/debian/patches/0011-Fix-softpkcs11-build-issues-with-openssl-3.0.patch
--- 
krb5-1.19.2-ubuntu/debian/patches/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch
   2021-11-30 06:54:17.0 -0300
+++ 
krb5-1.19.2-debian/debian/patches/0011-Fix-softpkcs11-build-issues-with-openssl-3.0.patch
   2021-10-27 17:04:42.0 -0300
@@ -1,7 +1,6 @@
-From 7c1bf1c800ef9837179d78fab95a2103623558db Mon Sep 17 00:00:00 2001
 From: Robbie Harwood 
 Date: Sat, 15 May 2021 17:35:25 -0400
-Subject: [PATCH] Fix softpkcs11 build issues with openssl 3.0
+Subject: Fix softpkcs11 build issues with openssl 3.0
 
 EVP_PKEY_get0_RSA() has been modified to have const return type.  Remove
 its usages in favor of the EVP_PKEY interface.  Also remove calls to
@@ -15,12 +14,14 @@
 Move several argument validation checks to the top of their functions.
 
 Fix some incorrect/inconsistent log messages.
+
+(cherry picked from commit 00de1aad7b3647b91017c7009b0bc65cd0c8b2e0)
 ---
- src/tests/softpkcs11/main.c | 290 +---
+ src/tests/softpkcs11/main.c | 290 
  1 file changed, 106 insertions(+), 184 deletions(-)
 
 diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
-index 1cccdfb43..caa537b68 100644
+index 1cccdfb..caa537b 100644
 --- a/src/tests/softpkcs11/main.c
 +++ b/src/tests/softpkcs11/main.c
 @@ -375,10 +375,9 @@ add_st_object(void)
@@ -522,6 +523,3 @@
  CK_FUNCTION_LIST funcs = {
  { 2, 11 },
  C_Initialize,
--- 
-2.32.0
-


** Changed in: krb5 (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1959101

Title:
  sync/merge krb5

Status in krb5 package in Ubuntu:
  In Progress

Bug description:
  We went ahead of debian because of openssl3:
  krb5 (1.19.2-0ubuntu1) jammy; urgency=medium

[ Sam Hartman ]
* New Upstream version
* Depend on tex-gyre, Closes: #997407

[Simon Chopin]
* d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch:
  Cherry-picked from upstream master to fix OpenSSL3 build.
  Closes: #995152, LP: #1945795

   -- Simon Chopin   Tue, 30 Nov 2021
  10:54:17 +0100

  Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1:
  krb5 (1.19.2-1) experimental; urgency=medium

* New Upstream version
* Include patch to work with OpenSSL 3.0, Closes: #995152
* Depend on tex-gyre, Closes: #997407
  
   -- Sam Hartman   Wed, 27 Oct 2021 14:04:42 -0600

  Since we are already at 1.19.2, we might as well merge/sync with
  experimental.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1959101] Re: sync/merge krb5

2022-02-02 Thread Andreas Hasenack
** Changed in: krb5 (Ubuntu)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: krb5 (Ubuntu)
Milestone: ubuntu-22.01 => ubuntu-22.02

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1959101

Title:
  sync/merge krb5

Status in krb5 package in Ubuntu:
  New

Bug description:
  We went ahead of debian because of openssl3:
  krb5 (1.19.2-0ubuntu1) jammy; urgency=medium

[ Sam Hartman ]
* New Upstream version
* Depend on tex-gyre, Closes: #997407

[Simon Chopin]
* d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch:
  Cherry-picked from upstream master to fix OpenSSL3 build.
  Closes: #995152, LP: #1945795

   -- Simon Chopin   Tue, 30 Nov 2021
  10:54:17 +0100

  Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1:
  krb5 (1.19.2-1) experimental; urgency=medium

* New Upstream version
* Include patch to work with OpenSSL 3.0, Closes: #995152
* Depend on tex-gyre, Closes: #997407
  
   -- Sam Hartman   Wed, 27 Oct 2021 14:04:42 -0600

  Since we are already at 1.19.2, we might as well merge/sync with
  experimental.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1959126] [NEW] Consider update to 3.68.2

2022-01-26 Thread Andreas Hasenack
Public bug reported:

Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is
on 3.68, which is ESR, but two releases behind: upstream has 3.68.2.

Here are upstream's release notes:
3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk
Changes:
 - Bug 1735028 - check for missing signedData field. 
 - Bug 1737470 - Ensure DER encoded signatures are within size limits.

3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8
Change:
   - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation

Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of
the above changes is that CVE. The most promising one was bug 1737470,
but the bug is private.

The request here is to investigate if our patched 3.68 has one or more
of the fixes in the above point releases, and if it would be worth it to
go to 3.68.2. I think we should not go to 3.7x.

Ubuntu has been on 3.68 since impish.

** Affects: nss (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: server-todo

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1959126

Title:
  Consider update to 3.68.2

Status in nss package in Ubuntu:
  New

Bug description:
  Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu
  is on 3.68, which is ESR, but two releases behind: upstream has
  3.68.2.

  Here are upstream's release notes:
  3.68.1: 
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk
  Changes:
   - Bug 1735028 - check for missing signedData field. 
   - Bug 1737470 - Ensure DER encoded signatures are within size limits.

  3.68.2: 
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8
  Change:
 - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation

  Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any
  of the above changes is that CVE. The most promising one was bug
  1737470, but the bug is private.

  The request here is to investigate if our patched 3.68 has one or more
  of the fixes in the above point releases, and if it would be worth it
  to go to 3.68.2. I think we should not go to 3.7x.

  Ubuntu has been on 3.68 since impish.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1959101] [NEW] sync/merge krb5

2022-01-26 Thread Andreas Hasenack
Public bug reported:

We went ahead of debian because of openssl3:
krb5 (1.19.2-0ubuntu1) jammy; urgency=medium

  [ Sam Hartman ]
  * New Upstream version
  * Depend on tex-gyre, Closes: #997407

  [Simon Chopin]
  * d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch:
Cherry-picked from upstream master to fix OpenSSL3 build.
Closes: #995152, LP: #1945795

 -- Simon Chopin   Tue, 30 Nov 2021 10:54:17
+0100

Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1:
krb5 (1.19.2-1) experimental; urgency=medium

  * New Upstream version
  * Include patch to work with OpenSSL 3.0, Closes: #995152
  * Depend on tex-gyre, Closes: #997407

 -- Sam Hartman   Wed, 27 Oct 2021 14:04:42 -0600

Since we are already at 1.19.2, we might as well merge/sync with
experimental.

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: needs-merge

** Changed in: krb5 (Ubuntu)
Milestone: None => ubuntu-22.01

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1959101

Title:
  sync/merge krb5

Status in krb5 package in Ubuntu:
  New

Bug description:
  We went ahead of debian because of openssl3:
  krb5 (1.19.2-0ubuntu1) jammy; urgency=medium

[ Sam Hartman ]
* New Upstream version
* Depend on tex-gyre, Closes: #997407

[Simon Chopin]
* d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch:
  Cherry-picked from upstream master to fix OpenSSL3 build.
  Closes: #995152, LP: #1945795

   -- Simon Chopin   Tue, 30 Nov 2021
  10:54:17 +0100

  Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1:
  krb5 (1.19.2-1) experimental; urgency=medium

* New Upstream version
* Include patch to work with OpenSSL 3.0, Closes: #995152
* Depend on tex-gyre, Closes: #997407
  
   -- Sam Hartman   Wed, 27 Oct 2021 14:04:42 -0600

  Since we are already at 1.19.2, we might as well merge/sync with
  experimental.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1957076] Re: sync cyrus-sasl2 2.1.27+dfsg2-3

2022-01-11 Thread Andreas Hasenack
This bug was fixed in the package cyrus-sasl2 - 2.1.27+dfsg2-3

---
cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium

  [ Andreas Hasenack ]
  * Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152)

 -- Bastian Germann   Tue, 11 Jan 2022 11:25:37 +0100

** Changed in: cyrus-sasl2 (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1957076

Title:
  sync cyrus-sasl2 2.1.27+dfsg2-3

Status in cyrus-sasl2 package in Ubuntu:
  Fix Released

Bug description:
  It has the fix for bug #1956833, which is our only delta presently.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1957076/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1957076] Re: sync cyrus-sasl2 2.1.27+dfsg2-3

2022-01-11 Thread Andreas Hasenack
** Changed in: cyrus-sasl2 (Ubuntu)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1957076

Title:
  sync cyrus-sasl2 2.1.27+dfsg2-3

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  It has the fix for bug #1956833, which is our only delta presently.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1957076/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1957076] Re: sync cyrus-sasl2 2.1.27+dfsg2-3

2022-01-11 Thread Andreas Hasenack
** Changed in: cyrus-sasl2 (Ubuntu)
Milestone: None => ubuntu-22.01

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1957076

Title:
  sync cyrus-sasl2 2.1.27+dfsg2-3

Status in cyrus-sasl2 package in Ubuntu:
  Triaged

Bug description:
  It has the fix for bug #1956833, which is our only delta presently.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1957076/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1677781] Re: Missing dep8 tests

2022-01-11 Thread Andreas Hasenack
We were recently hit by bug #1956833, where GSS-SPNEGO was suddenly
disabled and nobody noticed until an app tried to use it.

For that case, I'm thinking about a very simple test that would be like
this:

for algo in $ALGORITHMS; do
  saslpluginviewer -m $algo > /dev/null || {
echo "Algorithm $algo not available"
exit 1
  }
done

And ALGORITHMS is a list of the algorithms we expect to always be available, 
like:
  SCRAM-SHA-1 SCRAM-SHA-256 GS2-IAKERB GS2-KRB5 GSS-SPNEGO GSSAPI DIGEST-MD5 
EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS


** Tags added: bitesize

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1677781

Title:
  Missing dep8 tests

Status in cyrus-sasl2 package in Ubuntu:
  New

Bug description:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256

  As of March 29, 2017, this source package did not contain dep8 tests in
  the current development release of Ubuntu, named Zesty. This was
  determined by running `pull-lp-source cyrus-sasl2 zesty` and then
  checking for the existence of 'debian/tests/' and
  'debian/tests/control'.

  Test automation is essential to higher levels of quality and confidence
  in updates to packages. dep8 tests [1] specify how automatic testing can
  be integrated into packages and then run by package maintainers before
  new uploads.

  This defect is to report the absence of these tests and to report the
  opportunity as a potential item for development by both new and
  experienced contributors.

  [1] http://packaging.ubuntu.com/html/auto-pkg-test.html

   affects ubuntu/cyrus-sasl2
   status new
   importance wishlist
   tag needs-dep8

  - ---
  Joshua Powers
  Ubuntu Server
  Canonical Ltd

  -BEGIN PGP SIGNATURE-

  iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj
  JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1
  3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR
  wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe
  4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY
  nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz
  iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5
  WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5
  Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort
  CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY
  ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G
  WY9JzBOc6MUi46Hh9ZN5
  =szTz
  -END PGP SIGNATURE-

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1957076] [NEW] sync cyrus-sasl2 2.1.27+dfsg2-3

2022-01-11 Thread Andreas Hasenack
Public bug reported:

It has the fix for bug #1956833, which is our only delta presently.

** Affects: cyrus-sasl2 (Ubuntu)
 Importance: Undecided
 Assignee: Andreas Hasenack (ahasenack)
 Status: Triaged


** Tags: needs-merge

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1957076

Title:
  sync cyrus-sasl2 2.1.27+dfsg2-3

Status in cyrus-sasl2 package in Ubuntu:
  Triaged

Bug description:
  It has the fix for bug #1956833, which is our only delta presently.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1957076/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1956833] Re: No GSS-SPNEGO support in jammy

2022-01-08 Thread Andreas Hasenack
** Bug watch added: Debian Bug tracker #1003355
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003355

** Also affects: cyrus-sasl2 (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003355
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1956833

Title:
  No GSS-SPNEGO support in jammy

Status in cyrus-sasl2 package in Ubuntu:
  In Progress
Status in cyrus-sasl2 package in Debian:
  Unknown

Bug description:
  In jammy:
  root@j1:~# saslpluginviewer | head | grep SPNEGO
  root@j1:~# 

  Confirming against a windows 2016 active directory server, fully patched:
  root@j1:~# ldapwhoami -Y GSS-SPNEGO
  ldap_sasl_interactive_bind: Unknown authentication method (-6)
  additional info: SASL(-4): no mechanism available: No worthy mechs 
found

  
  gssapi (kerberos) works:
  root@j1:~# ldapwhoami -Y GSSAPI
  SASL/GSSAPI authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

  root@j1:~# klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: administra...@internal.example.fake

  Valid starting ExpiresService principal
  01/08/22 22:31:48  01/09/22 08:31:48  
krbtgt/internal.example.f...@internal.example.fake
  renew until 01/09/22 22:31:45
  01/08/22 22:34:53  01/09/22 08:31:48  
ldap/win-kriet1e5elo.internal.example.fake@
  renew until 01/09/22 22:31:45
  Ticket server: 
ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake

  
  In focal, GSS-SPNEGO works:
  root@f1:~# saslpluginviewer | head | grep SPNEGO
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS

  Confirming with ldapwhoami:
  root@f1:~# ldapwhoami -Y GSS-SPNEGO
  SASL/GSS-SPNEGO authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1956833] Re: No GSS-SPNEGO support in jammy

2022-01-08 Thread Andreas Hasenack
Nice discussion at
https://bugzilla.redhat.com/show_bug.cgi?format=multiple=1943013

Fix: https://github.com/cyrusimap/cyrus-sasl/pull/644

** Bug watch added: Red Hat Bugzilla #1943013
   https://bugzilla.redhat.com/show_bug.cgi?id=1943013

** Changed in: cyrus-sasl2 (Ubuntu)
   Importance: Undecided => High

** Changed in: cyrus-sasl2 (Ubuntu)
   Status: New => In Progress

** Changed in: cyrus-sasl2 (Ubuntu)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1956833

Title:
  No GSS-SPNEGO support in jammy

Status in cyrus-sasl2 package in Ubuntu:
  In Progress

Bug description:
  In jammy:
  root@j1:~# saslpluginviewer | head | grep SPNEGO
  root@j1:~# 

  Confirming against a windows 2016 active directory server, fully patched:
  root@j1:~# ldapwhoami -Y GSS-SPNEGO
  ldap_sasl_interactive_bind: Unknown authentication method (-6)
  additional info: SASL(-4): no mechanism available: No worthy mechs 
found

  
  gssapi (kerberos) works:
  root@j1:~# ldapwhoami -Y GSSAPI
  SASL/GSSAPI authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

  root@j1:~# klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: administra...@internal.example.fake

  Valid starting ExpiresService principal
  01/08/22 22:31:48  01/09/22 08:31:48  
krbtgt/internal.example.f...@internal.example.fake
  renew until 01/09/22 22:31:45
  01/08/22 22:34:53  01/09/22 08:31:48  
ldap/win-kriet1e5elo.internal.example.fake@
  renew until 01/09/22 22:31:45
  Ticket server: 
ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake

  
  In focal, GSS-SPNEGO works:
  root@f1:~# saslpluginviewer | head | grep SPNEGO
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS

  Confirming with ldapwhoami:
  root@f1:~# ldapwhoami -Y GSS-SPNEGO
  SASL/GSS-SPNEGO authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1956833] Re: No GSS-SPNEGO support in jammy

2022-01-08 Thread Andreas Hasenack
In the jammy build log
(https://launchpadlibrarian.net/570726294/buildlog_ubuntu-jammy-
amd64.cyrus-sasl2_2.1.27+dfsg2-2build1_BUILDING.txt.gz), we have this
error which is not present in the impish build for example:

checking for SPNEGO support in GSSAPI libraries... ../configure: line 18854: 
ac_fn_c_try_run: command not found
no

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1956833

Title:
  No GSS-SPNEGO support in jammy

Status in cyrus-sasl2 package in Ubuntu:
  New

Bug description:
  In jammy:
  root@j1:~# saslpluginviewer | head | grep SPNEGO
  root@j1:~# 

  Confirming against a windows 2016 active directory server, fully patched:
  root@j1:~# ldapwhoami -Y GSS-SPNEGO
  ldap_sasl_interactive_bind: Unknown authentication method (-6)
  additional info: SASL(-4): no mechanism available: No worthy mechs 
found

  
  gssapi (kerberos) works:
  root@j1:~# ldapwhoami -Y GSSAPI
  SASL/GSSAPI authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

  root@j1:~# klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: administra...@internal.example.fake

  Valid starting ExpiresService principal
  01/08/22 22:31:48  01/09/22 08:31:48  
krbtgt/internal.example.f...@internal.example.fake
  renew until 01/09/22 22:31:45
  01/08/22 22:34:53  01/09/22 08:31:48  
ldap/win-kriet1e5elo.internal.example.fake@
  renew until 01/09/22 22:31:45
  Ticket server: 
ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake

  
  In focal, GSS-SPNEGO works:
  root@f1:~# saslpluginviewer | head | grep SPNEGO
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS

  Confirming with ldapwhoami:
  root@f1:~# ldapwhoami -Y GSS-SPNEGO
  SASL/GSS-SPNEGO authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1956833] Re: No GSS-SPNEGO support in jammy

2022-01-08 Thread Andreas Hasenack
Impish also works:

root@i1:~# saslpluginviewer | head | grep SPNEGO
  SCRAM-SHA-1 SCRAM-SHA-256 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 
EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
  SCRAM-SHA-1 SCRAM-SHA-256 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 
CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS


root@i1:~# ldapwhoami -Y GSS-SPNEGO
SASL/GSS-SPNEGO authentication started
SASL username: administra...@internal.example.fake
SASL SSF: 256
SASL data security layer installed.
u:INTEXAMPLE\Administrator

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1956833

Title:
  No GSS-SPNEGO support in jammy

Status in cyrus-sasl2 package in Ubuntu:
  New

Bug description:
  In jammy:
  root@j1:~# saslpluginviewer | head | grep SPNEGO
  root@j1:~# 

  Confirming against a windows 2016 active directory server, fully patched:
  root@j1:~# ldapwhoami -Y GSS-SPNEGO
  ldap_sasl_interactive_bind: Unknown authentication method (-6)
  additional info: SASL(-4): no mechanism available: No worthy mechs 
found

  
  gssapi (kerberos) works:
  root@j1:~# ldapwhoami -Y GSSAPI
  SASL/GSSAPI authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

  root@j1:~# klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: administra...@internal.example.fake

  Valid starting ExpiresService principal
  01/08/22 22:31:48  01/09/22 08:31:48  
krbtgt/internal.example.f...@internal.example.fake
  renew until 01/09/22 22:31:45
  01/08/22 22:34:53  01/09/22 08:31:48  
ldap/win-kriet1e5elo.internal.example.fake@
  renew until 01/09/22 22:31:45
  Ticket server: 
ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake

  
  In focal, GSS-SPNEGO works:
  root@f1:~# saslpluginviewer | head | grep SPNEGO
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS

  Confirming with ldapwhoami:
  root@f1:~# ldapwhoami -Y GSS-SPNEGO
  SASL/GSS-SPNEGO authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1956833] [NEW] No GSS-SPNEGO support in jammy

2022-01-08 Thread Andreas Hasenack
Public bug reported:

In jammy:
root@j1:~# saslpluginviewer | head | grep SPNEGO
root@j1:~# 

Confirming against a windows 2016 active directory server, fully patched:
root@j1:~# ldapwhoami -Y GSS-SPNEGO
ldap_sasl_interactive_bind: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No worthy mechs found


gssapi (kerberos) works:
root@j1:~# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: administra...@internal.example.fake
SASL SSF: 256
SASL data security layer installed.
u:INTEXAMPLE\Administrator

root@j1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@internal.example.fake

Valid starting ExpiresService principal
01/08/22 22:31:48  01/09/22 08:31:48  
krbtgt/internal.example.f...@internal.example.fake
renew until 01/09/22 22:31:45
01/08/22 22:34:53  01/09/22 08:31:48  
ldap/win-kriet1e5elo.internal.example.fake@
renew until 01/09/22 22:31:45
Ticket server: 
ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake


In focal, GSS-SPNEGO works:
root@f1:~# saslpluginviewer | head | grep SPNEGO
  GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS
  GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS

Confirming with ldapwhoami:
root@f1:~# ldapwhoami -Y GSS-SPNEGO
SASL/GSS-SPNEGO authentication started
SASL username: administra...@internal.example.fake
SASL SSF: 256
SASL data security layer installed.
u:INTEXAMPLE\Administrator

** Affects: cyrus-sasl2 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1956833

Title:
  No GSS-SPNEGO support in jammy

Status in cyrus-sasl2 package in Ubuntu:
  New

Bug description:
  In jammy:
  root@j1:~# saslpluginviewer | head | grep SPNEGO
  root@j1:~# 

  Confirming against a windows 2016 active directory server, fully patched:
  root@j1:~# ldapwhoami -Y GSS-SPNEGO
  ldap_sasl_interactive_bind: Unknown authentication method (-6)
  additional info: SASL(-4): no mechanism available: No worthy mechs 
found

  
  gssapi (kerberos) works:
  root@j1:~# ldapwhoami -Y GSSAPI
  SASL/GSSAPI authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

  root@j1:~# klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: administra...@internal.example.fake

  Valid starting ExpiresService principal
  01/08/22 22:31:48  01/09/22 08:31:48  
krbtgt/internal.example.f...@internal.example.fake
  renew until 01/09/22 22:31:45
  01/08/22 22:34:53  01/09/22 08:31:48  
ldap/win-kriet1e5elo.internal.example.fake@
  renew until 01/09/22 22:31:45
  Ticket server: 
ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake

  
  In focal, GSS-SPNEGO works:
  root@f1:~# saslpluginviewer | head | grep SPNEGO
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 
NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS

  Confirming with ldapwhoami:
  root@f1:~# ldapwhoami -Y GSS-SPNEGO
  SASL/GSS-SPNEGO authentication started
  SASL username: administra...@internal.example.fake
  SASL SSF: 256
  SASL data security layer installed.
  u:INTEXAMPLE\Administrator

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1953200] Re: [jammy] FTBFS, gcc ICE?

2021-12-26 Thread Andreas Hasenack
Maybe https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101346 ?

** Also affects: gcc-11 (Ubuntu)
   Importance: Undecided
   Status: New

** Bug watch added: GCC Bugzilla #101346
   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101346

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to mir in Ubuntu.
https://bugs.launchpad.net/bugs/1953200

Title:
  [jammy] FTBFS, gcc ICE?

Status in gcc-11 package in Ubuntu:
  New
Status in mir package in Ubuntu:
  New

Bug description:
  https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3

  [ 38%] Building CXX object 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o
  cd /<>/build-amd64/src/client && /usr/bin/c++ 
-DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 
-DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS 
-DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" 
-DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE 
-DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 
-DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 
-D_GNU_SOURCE -I/<>/include/core -I/<>/include/common 
-I/<>/include/cookie -I/<>/src/include/common 
-I/<>/build-amd64/src/capnproto 
-I/<>/build-amd64/src/protobuf 
-I/<>/build-amd64/src/client -I/<>/include/platform 
-I/<>/include/client -I/<>/src/include/client 
-I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 
-ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic 
-Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto 
-ffat-lto-objects -std=c++17 -MD -MT 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c 
/<>/src/client/event_printer.cpp
  In file included from /usr/include/boost/bind.hpp:30,
   from 
/<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44:
  /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of 
declaring the Bind placeholders (_1, _2, ...) in the global namespace is 
deprecated. Please use  + using namespace 
boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the 
current behavior.’
 36 | BOOST_PRAGMA_MESSAGE(
| ^~~~
  The bug is not reproducible, so it is likely a hardware or OS problem.
  make[3]: *** 
[src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107: 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o]
 Error 1
  make[3]: Leaving directory '/<>/build-amd64'
  make[2]: *** [CMakeFiles/Makefile2:4657: 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/all] Error 2
  make[2]: *** Waiting for unfinished jobs

  
  Possibly relevant, this seems to be using boost 1.74.0-13ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-11/+bug/1953200/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1953200] Re: [jammy] FTBFS, gcc ICE?

2021-12-26 Thread Andreas Hasenack
Actually, this may be an ICE. Further up in the logs we see:
[ 37%] Building CXX object 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o
cd /<>/build-amd64/src/client/lttng && /usr/bin/c++ 
-DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 
-DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS 
-DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" 
-DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE 
-DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 
-DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 
-D_GNU_SOURCE -I/<>/include/core -I/<>/include/common 
-I/<>/include/cookie -I/<>/src/include/common 
-I/<>/build-amd64/src/capnproto 
-I/<>/build-amd64/src/protobuf 
-I/<>/build-amd64/src/client -I/<>/include/platform 
-I/<>/include/client -I/<>/src/include/client 
-I/<>/src/include/cookie -I/usr/include/libdrm 
-I/<>/src/client/lttng -g -O2 -ffile-prefix-map=/<>=. 
-flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat 
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 
-Wall -fno-strict-aliasing  -Wnon-virtual-dtor -Wextra -fPIC -Werror 
-Wno-mismatched-tags -Wno-psabi -flto -ffat-lto-objects 
-Wno-error=missing-field-initializers -Wno-error=unused-function -std=c++17 -MD 
-MT 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o
 -MF CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o.d -o 
CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o -c 
/<>/src/client/lttng/input_receiver_report.cpp
during RTL pass: reload
/<>/src/client/lttng/input_receiver_report.cpp: In member function 
‘mir::client::lttng::InputReceiverReport::report_touch(MirInputEvent const*) 
const’:
/<>/src/client/lttng/input_receiver_report.cpp:80:1: internal 
compiler error: maximum number of generated reload insns per insn achieved (90)
   80 | }
  | ^
0x7fedb2989fcf __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
0x7fedb298a07c __libc_start_main_impl
../csu/libc-start.c:409
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See  for instructions.

** Summary changed:

- [jammy] FTBFS with boost
+ [jammy] FTBFS, gcc ICE?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to mir in Ubuntu.
https://bugs.launchpad.net/bugs/1953200

Title:
  [jammy] FTBFS, gcc ICE?

Status in mir package in Ubuntu:
  New

Bug description:
  https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3

  [ 38%] Building CXX object 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o
  cd /<>/build-amd64/src/client && /usr/bin/c++ 
-DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 
-DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS 
-DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" 
-DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE 
-DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 
-DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 
-D_GNU_SOURCE -I/<>/include/core -I/<>/include/common 
-I/<>/include/cookie -I/<>/src/include/common 
-I/<>/build-amd64/src/capnproto 
-I/<>/build-amd64/src/protobuf 
-I/<>/build-amd64/src/client -I/<>/include/platform 
-I/<>/include/client -I/<>/src/include/client 
-I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 
-ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic 
-Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto 
-ffat-lto-objects -std=c++17 -MD -MT 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c 
/<>/src/client/event_printer.cpp
  In file included from /usr/include/boost/bind.hpp:30,
   from 
/<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44:
  /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of 
declaring the Bind placeholders (_1, _2, ...) in the global namespace is 
deprecated. Please use  + using namespace 
boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the 
current behavior.’
 36 | BOOST_PRAGMA_MESSAGE(
| ^~~~
  The bug is not reproducible, so it is likely a hardware or OS problem.
  make[3]: *** 
[src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107: 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o]
 Error 1
  make[3]: Leaving directory '/<>/build-amd64'
  make[2]: *** [CMakeFiles/Makefile2:4657: 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/all] Error 2
  make[2]: *** Waiting for 

[Touch-packages] [Bug 1953065] Re: 2.13.0 FTBFS

2021-12-19 Thread Andreas Hasenack
Fix was merged usptream, and 2.13.1 contains it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ust in Ubuntu.
https://bugs.launchpad.net/bugs/1953065

Title:
  2.13.0 FTBFS

Status in LTTng-UST:
  Unknown
Status in ust package in Ubuntu:
  In Progress

Bug description:
  I tried to merge ust from debian into ubuntu, to fix a build-time
  dependency, but stumbled on an FTBFS with that version.

  I filed upstream bug at https://bugs.lttng.org/issues/1337

  It basically happens in some new test cases that were added in 2.13.0
  and crash when we build it using our default -Wl,-Bsymbolic-flags
  linker option, which we have been using for years in Ubuntu.

  Here is the testsuite log output:
  
 lttng-ust 2.14.0-pre: tests/test-suite.log
  

  # TOTAL: 246
  # PASS:  241
  # SKIP:  0
  # XFAIL: 0
  # FAIL:  4
  # XPASS: 0
  # ERROR: 1

  .. contents:: :depth: 2

  ERROR: regression/abi0-conflict/test_abi0_conflict
  ==

  1..22
  # LD_PRELOAD
  # regression/abi0-conflict/test_abi0_conflict: LD_PRELOAD
  ok 1 - LD_PRELOAD: no-ust app works
  PASS: regression/abi0-conflict/test_abi0_conflict 1 - LD_PRELOAD: no-ust app 
works
  ok 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds
  PASS: regression/abi0-conflict/test_abi0_conflict 2 - LD_PRELOAD: no-ust app 
with abi0 preload succeeds
  ./regression/abi0-conflict/test_abi0_conflict: line 56: 592651 Aborted
 (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" 
"${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 3 - LD_PRELOAD: no-ust app 
with abi0 and abi1 preload fails
  ./regression/abi0-conflict/test_abi0_conflict: line 59: 592652 Aborted
 (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" 
"${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 4 - LD_PRELOAD: no-ust app 
with abi1 and abi0 preload fails
  ok 5 - LD_PRELOAD: ust app works
  PASS: regression/abi0-conflict/test_abi0_conflict 5 - LD_PRELOAD: ust app 
works
  ./regression/abi0-conflict/test_abi0_conflict: line 68: 592669 Aborted
 (core dumped) LD_PRELOAD="${LIBFAKEUST0}" "${CURDIR}/app_ust" > 
"$STD_OUTPUT" 2> "$STD_ERROR"
  ok 6 - LD_PRELOAD: ust app with abi0 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 6 - LD_PRELOAD: ust app 
with abi0 preload fails
  ./regression/abi0-conflict/test_abi0_conflict: line 71: 592683 Aborted
 (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" 
"${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 7 - LD_PRELOAD: ust app 
with abi0 and abi1 preload fails
  ./regression/abi0-conflict/test_abi0_conflict: line 74: 592684 Aborted
 (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" 
"${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 8 - LD_PRELOAD: ust app 
with abi1 and abi0 preload fails
  # dlopen
  # regression/abi0-conflict/test_abi0_conflict: dlopen
  ok 9 - dlopen: no-ust app works
  PASS: regression/abi0-conflict/test_abi0_conflict 9 - dlopen: no-ust app works
  ok 10 - dlopen: no-ust app with abi1 and abi1 succeeds
  PASS: regression/abi0-conflict/test_abi0_conflict 10 - dlopen: no-ust app 
with abi1 and abi1 succeeds
  ./regression/abi0-conflict/test_abi0_conflict: line 92: 592689 Aborted
 (core dumped) LD_LIBRARY_PATH="$LIBFAKEUST0_PATH:$LIBUST1_PATH" 
"${CURDIR}/app_noust_dlopen" abi0_abi1 > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 11 - dlopen: no-ust app with abi0 and abi1 fails
  PASS: regression/abi0-conflict/test_abi0_conflict 11 - dlopen: no-ust app 
with abi0 and abi1 fails
  not ok 12 - dlopen: no-ust app with abi1 and abi0 fails
  FAIL: regression/abi0-conflict/test_abi0_conflict 12 - dlopen: no-ust app 
with abi1 and abi0 fails
  #   Failed test 'dlopen: no-ust app with abi1 and abi0 fails'
  # regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: no-ust 
app with abi1 and abi0 fails'
  #   in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at 
line 300.
  # regression/abi0-conflict/test_abi0_conflict: in 
/home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300.
  #  got: '0'
  # regression/abi0-conflict/test_abi0_conflict: got: '0'
  # expected: '0'
  # regression/abi0-conflict/test_abi0_conflict: expected: '0'
  ok 13 - dlopen: ust app works
  PASS: 

[Touch-packages] [Bug 1823422] Re: heimdal ftbfs in disco

2021-12-09 Thread Andreas Hasenack
Disco is EOL, and the package builds fine in current devel release.
Closing the bug.

** Changed in: heimdal (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to heimdal in Ubuntu.
https://bugs.launchpad.net/bugs/1823422

Title:
  heimdal ftbfs in disco

Status in Heimdal:
  New
Status in heimdal package in Ubuntu:
  Fix Released
Status in heimdal package in Debian:
  Fix Released

Bug description:
  https://launchpadlibrarian.net/417925401/buildlog_ubuntu-disco-
  amd64.heimdal_7.5.0+dfsg-2.1_BUILDING.txt.gz

  =
 Heimdal 7.5.0: lib/hx509/test-suite.log
  =

  # TOTAL: 16
  # PASS:  15
  # SKIP:  0
  # XFAIL: 0
  # FAIL:  1
  # XPASS: 0
  # ERROR: 0

  .. contents:: :depth: 2

  FAIL: test_chain
  

  cert -> root
  cert -> root
  cert -> root
  sub-cert -> root
  sub-cert -> sub-ca -> root
  sub-cert -> sub-ca
  sub-cert -> sub-ca -> root
  sub-cert -> sub-ca -> root
  sub-cert -> sub-ca -> root
  max depth 2 (ok)
  max depth 1 (fail)
  ocsp non-ca responder
  ocsp ca responder
  ocsp no-ca responder, missing cert
  ocsp no-ca responder, missing cert, in pool
  ocsp no-ca responder, keyHash
  ocsp revoked cert
  ocsp print reply resp1-ocsp-no-cert
  ocsp print reply resp1-ca
  ocsp print reply resp1-keyhash
  ocsp print reply resp2
  ocsp verify exists
  ocsp verify not exists
  ocsp verify revoked
  crl non-revoked cert
  FAIL test_chain (exit status: 1)

  
  Testsuite summary for Heimdal 7.5.0
  
  # TOTAL: 16
  # PASS:  15
  # SKIP:  0
  # XFAIL: 0
  # FAIL:  1
  # XPASS: 0
  # ERROR: 0
  
  See lib/hx509/test-suite.log
  Please report to https://github.com/heimdal/heimdal/issues

To manage notifications about this bug go to:
https://bugs.launchpad.net/heimdal/+bug/1823422/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1946860] Re: Merge heimdal from Debian unstable for 22.04

2021-12-08 Thread Andreas Hasenack
** Changed in: heimdal (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to heimdal in Ubuntu.
https://bugs.launchpad.net/bugs/1946860

Title:
  Merge heimdal from Debian unstable for 22.04

Status in heimdal package in Ubuntu:
  In Progress

Bug description:
  Upstream: tbd
  Debian:   7.7.0+dfsg-2
  Ubuntu:   7.7.0+dfsg-2ubuntu2

  ### New Debian Changes ###

  heimdal (7.7.0+dfsg-2) unstable; urgency=medium

    * Build using python3. Closes: #936695, #960032.

   -- Brian May   Tue, 12 May 2020 06:56:04 +1000

  heimdal (7.7.0+dfsg-1) unstable; urgency=medium

    * New upstream version.
    * Fix CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction
  was not being applied when processing protocol
  transition requests (S4U2Self), in the AD DC KDC. Closes: #946786.

   -- Brian May   Tue, 17 Dec 2019 20:23:41 +1100

  heimdal (7.5.0+dfsg-3) unstable; urgency=high

    * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum.
  Closes: #928966.
    * CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT.
  Closes: #929064.
    * Update test certificates to pre 2038 expiry. Closes: #923930.

   -- Brian May   Tue, 21 May 2019 18:04:35 +1000

  heimdal (7.5.0+dfsg-2.1) unstable; urgency=medium

    * Non-maintainer upload
    * Add patch to create headers before building (Closes: 906623)

   -- Hilko Bengen   Sun, 28 Oct 2018 15:10:44 +0100

  heimdal (7.5.0+dfsg-2) unstable; urgency=medium

    * Replace 'MAXHOSTNAMELEN' with 'MaxHostNameLen' in kdc/kx509.c for The
  Hurd. Closes: #900079.

   -- Brian May   Sat, 02 Jun 2018 10:01:46 +1000

  heimdal (7.5.0+dfsg-1) unstable; urgency=high

    * New upstream version. (Closes: #850723)
  + CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.4
    (Closes: #878144, #868157)
  + Refresh patches.
    * Bump Standards-Version to 4.1.2 and compat level to 10.
  + Remove explicit reference to dh-autoreconf.
    * Use uscan to get orig source.
  + Refrain from mangling some bundled RFC texts;
    just exclude the mas they are not installed into any binary anyway.
  + Update d/copyright to DEP-5.
  + Can now use standard uscan/gbp/pristine-tar workflow.
    * Fix some lintian errors/warnings.
  + Strip trailing whitespace from changelog.
  + Fix some duplicate long descriptions.
  + Use optional priority everywhere.
  + Update/remove some overrides.
  + Enforce set -e in maintainer scripts.
  + Enable hardening.
    * Migrate to -dbgsym.
    * Add myself to uploaders.

   -- Dominik George   Fri, 15 Dec 2017 01:13:04
  +0100

  heimdal (7.4.0.dfsg.1-2) unstable; urgency=medium

    [ Jelmer Vernooij ]
    * Remove myself from uploaders.

    [ Brian May ]
    * Be explicit with heimdal.mkey filename in postinst. Closes: #868638.
    * Tests should respect DEB_BUILD_OPTIONS=nocheck.  Closes: #868842.

   -- Brian May   Sun, 23 Jul 2017 10:32:34 +1000

  heimdal (7.4.0.dfsg.1-1) unstable; urgency=high

    * New upstream version.
    * Update standards version to 4.0.0.
    * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation.
  (Closes: #868208).

   -- Brian May   Sat, 15 Jul 2017 19:47:32 +1000

  heimdal (7.1.0+dfsg-13) unstable; urgency=medium

    * Add missing symbols base64_decode and base64_encode back into
  libroken. Closes: #848694.

   -- Brian May   Wed, 26 Apr 2017 19:38:20 +1000

  heimdal (7.1.0+dfsg-12) unstable; urgency=high

    * Fix transit path validation CVE-2017-6594.

   -- Brian May   Mon, 10 Apr 2017 17:21:35 +1000

  heimdal (7.1.0+dfsg-11) unstable; urgency=medium

    * Remove legacy provides/conflicts/replaces headers. Old daemons

  ### Old Ubuntu Delta ###

  heimdal (7.7.0+dfsg-2ubuntu2) impish; urgency=medium

    * Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226
  (LP: #1945787)

   -- Heinrich Schuchardt   Fri, 01
  Oct 2021 15:03:02 +0200

  heimdal (7.7.0+dfsg-2ubuntu1) impish; urgency=medium

    * Disable lto, to regain dep on roken, otherwise dependencies on amd64
  are different to i386 resulting in different files on amd64 and
  i386. LP: #1934936

   -- Dimitri John Ledkov   Tue, 20 Jul
  2021 10:32:53 +0100

  heimdal (7.7.0+dfsg-2build1) impish; urgency=medium

    * No-change rebuild due to OpenLDAP soname bump.

   -- Sergio Durigan Junior   Mon, 21 Jun
  2021 17:48:49 -0400

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1946860/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1946860] Re: Merge heimdal from Debian unstable for 22.04

2021-12-08 Thread Andreas Hasenack
** Changed in: heimdal (Ubuntu)
Milestone: ubuntu-21.11 => ubuntu-21.12

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to heimdal in Ubuntu.
https://bugs.launchpad.net/bugs/1946860

Title:
  Merge heimdal from Debian unstable for 22.04

Status in heimdal package in Ubuntu:
  New

Bug description:
  Upstream: tbd
  Debian:   7.7.0+dfsg-2
  Ubuntu:   7.7.0+dfsg-2ubuntu2

  ### New Debian Changes ###

  heimdal (7.7.0+dfsg-2) unstable; urgency=medium

    * Build using python3. Closes: #936695, #960032.

   -- Brian May   Tue, 12 May 2020 06:56:04 +1000

  heimdal (7.7.0+dfsg-1) unstable; urgency=medium

    * New upstream version.
    * Fix CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction
  was not being applied when processing protocol
  transition requests (S4U2Self), in the AD DC KDC. Closes: #946786.

   -- Brian May   Tue, 17 Dec 2019 20:23:41 +1100

  heimdal (7.5.0+dfsg-3) unstable; urgency=high

    * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum.
  Closes: #928966.
    * CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT.
  Closes: #929064.
    * Update test certificates to pre 2038 expiry. Closes: #923930.

   -- Brian May   Tue, 21 May 2019 18:04:35 +1000

  heimdal (7.5.0+dfsg-2.1) unstable; urgency=medium

    * Non-maintainer upload
    * Add patch to create headers before building (Closes: 906623)

   -- Hilko Bengen   Sun, 28 Oct 2018 15:10:44 +0100

  heimdal (7.5.0+dfsg-2) unstable; urgency=medium

    * Replace 'MAXHOSTNAMELEN' with 'MaxHostNameLen' in kdc/kx509.c for The
  Hurd. Closes: #900079.

   -- Brian May   Sat, 02 Jun 2018 10:01:46 +1000

  heimdal (7.5.0+dfsg-1) unstable; urgency=high

    * New upstream version. (Closes: #850723)
  + CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.4
    (Closes: #878144, #868157)
  + Refresh patches.
    * Bump Standards-Version to 4.1.2 and compat level to 10.
  + Remove explicit reference to dh-autoreconf.
    * Use uscan to get orig source.
  + Refrain from mangling some bundled RFC texts;
    just exclude the mas they are not installed into any binary anyway.
  + Update d/copyright to DEP-5.
  + Can now use standard uscan/gbp/pristine-tar workflow.
    * Fix some lintian errors/warnings.
  + Strip trailing whitespace from changelog.
  + Fix some duplicate long descriptions.
  + Use optional priority everywhere.
  + Update/remove some overrides.
  + Enforce set -e in maintainer scripts.
  + Enable hardening.
    * Migrate to -dbgsym.
    * Add myself to uploaders.

   -- Dominik George   Fri, 15 Dec 2017 01:13:04
  +0100

  heimdal (7.4.0.dfsg.1-2) unstable; urgency=medium

    [ Jelmer Vernooij ]
    * Remove myself from uploaders.

    [ Brian May ]
    * Be explicit with heimdal.mkey filename in postinst. Closes: #868638.
    * Tests should respect DEB_BUILD_OPTIONS=nocheck.  Closes: #868842.

   -- Brian May   Sun, 23 Jul 2017 10:32:34 +1000

  heimdal (7.4.0.dfsg.1-1) unstable; urgency=high

    * New upstream version.
    * Update standards version to 4.0.0.
    * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation.
  (Closes: #868208).

   -- Brian May   Sat, 15 Jul 2017 19:47:32 +1000

  heimdal (7.1.0+dfsg-13) unstable; urgency=medium

    * Add missing symbols base64_decode and base64_encode back into
  libroken. Closes: #848694.

   -- Brian May   Wed, 26 Apr 2017 19:38:20 +1000

  heimdal (7.1.0+dfsg-12) unstable; urgency=high

    * Fix transit path validation CVE-2017-6594.

   -- Brian May   Mon, 10 Apr 2017 17:21:35 +1000

  heimdal (7.1.0+dfsg-11) unstable; urgency=medium

    * Remove legacy provides/conflicts/replaces headers. Old daemons

  ### Old Ubuntu Delta ###

  heimdal (7.7.0+dfsg-2ubuntu2) impish; urgency=medium

    * Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226
  (LP: #1945787)

   -- Heinrich Schuchardt   Fri, 01
  Oct 2021 15:03:02 +0200

  heimdal (7.7.0+dfsg-2ubuntu1) impish; urgency=medium

    * Disable lto, to regain dep on roken, otherwise dependencies on amd64
  are different to i386 resulting in different files on amd64 and
  i386. LP: #1934936

   -- Dimitri John Ledkov   Tue, 20 Jul
  2021 10:32:53 +0100

  heimdal (7.7.0+dfsg-2build1) impish; urgency=medium

    * No-change rebuild due to OpenLDAP soname bump.

   -- Sergio Durigan Junior   Mon, 21 Jun
  2021 17:48:49 -0400

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1946860/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1953200] Re: [jammy] FTBFS with boost

2021-12-03 Thread Andreas Hasenack
** Tags removed: update-excuses
** Tags added: update-excuse

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to mir in Ubuntu.
https://bugs.launchpad.net/bugs/1953200

Title:
  [jammy] FTBFS with boost

Status in mir package in Ubuntu:
  New

Bug description:
  https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3

  [ 38%] Building CXX object 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o
  cd /<>/build-amd64/src/client && /usr/bin/c++ 
-DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 
-DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS 
-DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" 
-DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE 
-DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 
-DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 
-D_GNU_SOURCE -I/<>/include/core -I/<>/include/common 
-I/<>/include/cookie -I/<>/src/include/common 
-I/<>/build-amd64/src/capnproto 
-I/<>/build-amd64/src/protobuf 
-I/<>/build-amd64/src/client -I/<>/include/platform 
-I/<>/include/client -I/<>/src/include/client 
-I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 
-ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic 
-Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto 
-ffat-lto-objects -std=c++17 -MD -MT 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c 
/<>/src/client/event_printer.cpp
  In file included from /usr/include/boost/bind.hpp:30,
   from 
/<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44:
  /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of 
declaring the Bind placeholders (_1, _2, ...) in the global namespace is 
deprecated. Please use  + using namespace 
boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the 
current behavior.’
 36 | BOOST_PRAGMA_MESSAGE(
| ^~~~
  The bug is not reproducible, so it is likely a hardware or OS problem.
  make[3]: *** 
[src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107: 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o]
 Error 1
  make[3]: Leaving directory '/<>/build-amd64'
  make[2]: *** [CMakeFiles/Makefile2:4657: 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/all] Error 2
  make[2]: *** Waiting for unfinished jobs

  
  Possibly relevant, this seems to be using boost 1.74.0-13ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mir/+bug/1953200/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1953200] [NEW] [jammy] FTBFS with boost

2021-12-03 Thread Andreas Hasenack
Public bug reported:

https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3

[ 38%] Building CXX object 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o
cd /<>/build-amd64/src/client && /usr/bin/c++ 
-DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 
-DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS 
-DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" 
-DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE 
-DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 
-DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 
-D_GNU_SOURCE -I/<>/include/core -I/<>/include/common 
-I/<>/include/cookie -I/<>/src/include/common 
-I/<>/build-amd64/src/capnproto 
-I/<>/build-amd64/src/protobuf 
-I/<>/build-amd64/src/client -I/<>/include/platform 
-I/<>/include/client -I/<>/src/include/client 
-I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 
-ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic 
-Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto 
-ffat-lto-objects -std=c++17 -MD -MT 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c 
/<>/src/client/event_printer.cpp
In file included from /usr/include/boost/bind.hpp:30,
 from 
/<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44:
/usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of 
declaring the Bind placeholders (_1, _2, ...) in the global namespace is 
deprecated. Please use  + using namespace 
boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the 
current behavior.’
   36 | BOOST_PRAGMA_MESSAGE(
  | ^~~~
The bug is not reproducible, so it is likely a hardware or OS problem.
make[3]: *** 
[src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107: 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o]
 Error 1
make[3]: Leaving directory '/<>/build-amd64'
make[2]: *** [CMakeFiles/Makefile2:4657: 
src/client/lttng/CMakeFiles/mirclientlttng-static.dir/all] Error 2
make[2]: *** Waiting for unfinished jobs


Possibly relevant, this seems to be using boost 1.74.0-13ubuntu1

** Affects: mir (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: ftbfs update-excuses

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to mir in Ubuntu.
https://bugs.launchpad.net/bugs/1953200

Title:
  [jammy] FTBFS with boost

Status in mir package in Ubuntu:
  New

Bug description:
  https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3

  [ 38%] Building CXX object 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o
  cd /<>/build-amd64/src/client && /usr/bin/c++ 
-DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 
-DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS 
-DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" 
-DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE 
-DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 
-DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 
-D_GNU_SOURCE -I/<>/include/core -I/<>/include/common 
-I/<>/include/cookie -I/<>/src/include/common 
-I/<>/build-amd64/src/capnproto 
-I/<>/build-amd64/src/protobuf 
-I/<>/build-amd64/src/client -I/<>/include/platform 
-I/<>/include/client -I/<>/src/include/client 
-I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 
-ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic 
-Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto 
-ffat-lto-objects -std=c++17 -MD -MT 
src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o 
CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c 
/<>/src/client/event_printer.cpp
  In file included from /usr/include/boost/bind.hpp:30,
   from 
/<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44:
  /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of 
declaring the Bind placeholders (_1, _2, ...) in the global namespace is 
deprecated. Please use  + using namespace 
boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the 
current behavior.’
 36 | BOOST_PRAGMA_MESSAGE(
| ^~~~
  The bug is not reproducible, so it is likely a hardware or OS problem.
  make[3]: *** 
[src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107: 

[Touch-packages] [Bug 1953065] Re: 2.13.0 FTBFS

2021-12-02 Thread Andreas Hasenack
** Changed in: ust (Ubuntu)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: ust (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ust in Ubuntu.
https://bugs.launchpad.net/bugs/1953065

Title:
  2.13.0 FTBFS

Status in LTTng-UST:
  Unknown
Status in ust package in Ubuntu:
  In Progress

Bug description:
  I tried to merge ust from debian into ubuntu, to fix a build-time
  dependency, but stumbled on an FTBFS with that version.

  I filed upstream bug at https://bugs.lttng.org/issues/1337

  It basically happens in some new test cases that were added in 2.13.0
  and crash when we build it using our default -Wl,-Bsymbolic-flags
  linker option, which we have been using for years in Ubuntu.

  Here is the testsuite log output:
  
 lttng-ust 2.14.0-pre: tests/test-suite.log
  

  # TOTAL: 246
  # PASS:  241
  # SKIP:  0
  # XFAIL: 0
  # FAIL:  4
  # XPASS: 0
  # ERROR: 1

  .. contents:: :depth: 2

  ERROR: regression/abi0-conflict/test_abi0_conflict
  ==

  1..22
  # LD_PRELOAD
  # regression/abi0-conflict/test_abi0_conflict: LD_PRELOAD
  ok 1 - LD_PRELOAD: no-ust app works
  PASS: regression/abi0-conflict/test_abi0_conflict 1 - LD_PRELOAD: no-ust app 
works
  ok 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds
  PASS: regression/abi0-conflict/test_abi0_conflict 2 - LD_PRELOAD: no-ust app 
with abi0 preload succeeds
  ./regression/abi0-conflict/test_abi0_conflict: line 56: 592651 Aborted
 (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" 
"${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 3 - LD_PRELOAD: no-ust app 
with abi0 and abi1 preload fails
  ./regression/abi0-conflict/test_abi0_conflict: line 59: 592652 Aborted
 (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" 
"${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 4 - LD_PRELOAD: no-ust app 
with abi1 and abi0 preload fails
  ok 5 - LD_PRELOAD: ust app works
  PASS: regression/abi0-conflict/test_abi0_conflict 5 - LD_PRELOAD: ust app 
works
  ./regression/abi0-conflict/test_abi0_conflict: line 68: 592669 Aborted
 (core dumped) LD_PRELOAD="${LIBFAKEUST0}" "${CURDIR}/app_ust" > 
"$STD_OUTPUT" 2> "$STD_ERROR"
  ok 6 - LD_PRELOAD: ust app with abi0 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 6 - LD_PRELOAD: ust app 
with abi0 preload fails
  ./regression/abi0-conflict/test_abi0_conflict: line 71: 592683 Aborted
 (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" 
"${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 7 - LD_PRELOAD: ust app 
with abi0 and abi1 preload fails
  ./regression/abi0-conflict/test_abi0_conflict: line 74: 592684 Aborted
 (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" 
"${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails
  PASS: regression/abi0-conflict/test_abi0_conflict 8 - LD_PRELOAD: ust app 
with abi1 and abi0 preload fails
  # dlopen
  # regression/abi0-conflict/test_abi0_conflict: dlopen
  ok 9 - dlopen: no-ust app works
  PASS: regression/abi0-conflict/test_abi0_conflict 9 - dlopen: no-ust app works
  ok 10 - dlopen: no-ust app with abi1 and abi1 succeeds
  PASS: regression/abi0-conflict/test_abi0_conflict 10 - dlopen: no-ust app 
with abi1 and abi1 succeeds
  ./regression/abi0-conflict/test_abi0_conflict: line 92: 592689 Aborted
 (core dumped) LD_LIBRARY_PATH="$LIBFAKEUST0_PATH:$LIBUST1_PATH" 
"${CURDIR}/app_noust_dlopen" abi0_abi1 > "$STD_OUTPUT" 2> "$STD_ERROR"
  ok 11 - dlopen: no-ust app with abi0 and abi1 fails
  PASS: regression/abi0-conflict/test_abi0_conflict 11 - dlopen: no-ust app 
with abi0 and abi1 fails
  not ok 12 - dlopen: no-ust app with abi1 and abi0 fails
  FAIL: regression/abi0-conflict/test_abi0_conflict 12 - dlopen: no-ust app 
with abi1 and abi0 fails
  #   Failed test 'dlopen: no-ust app with abi1 and abi0 fails'
  # regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: no-ust 
app with abi1 and abi0 fails'
  #   in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:i

[Touch-packages] [Bug 1953065] [NEW] 2.13.0 FTBFS

2021-12-02 Thread Andreas Hasenack
Public bug reported:

I tried to merge ust from debian into ubuntu, to fix a build-time
dependency, but stumbled on an FTBFS with that version.

I filed upstream bug at https://bugs.lttng.org/issues/1337

It basically happens in some new test cases that were added in 2.13.0
and crash when we build it using our default -Wl,-Bsymbolic-flags linker
option, which we have been using for years in Ubuntu.

Here is the testsuite log output:

   lttng-ust 2.14.0-pre: tests/test-suite.log


# TOTAL: 246
# PASS:  241
# SKIP:  0
# XFAIL: 0
# FAIL:  4
# XPASS: 0
# ERROR: 1

.. contents:: :depth: 2

ERROR: regression/abi0-conflict/test_abi0_conflict
==

1..22
# LD_PRELOAD
# regression/abi0-conflict/test_abi0_conflict: LD_PRELOAD
ok 1 - LD_PRELOAD: no-ust app works
PASS: regression/abi0-conflict/test_abi0_conflict 1 - LD_PRELOAD: no-ust app 
works
ok 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds
PASS: regression/abi0-conflict/test_abi0_conflict 2 - LD_PRELOAD: no-ust app 
with abi0 preload succeeds
./regression/abi0-conflict/test_abi0_conflict: line 56: 592651 Aborted  
   (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" 
"${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR"
ok 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails
PASS: regression/abi0-conflict/test_abi0_conflict 3 - LD_PRELOAD: no-ust app 
with abi0 and abi1 preload fails
./regression/abi0-conflict/test_abi0_conflict: line 59: 592652 Aborted  
   (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" 
"${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR"
ok 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails
PASS: regression/abi0-conflict/test_abi0_conflict 4 - LD_PRELOAD: no-ust app 
with abi1 and abi0 preload fails
ok 5 - LD_PRELOAD: ust app works
PASS: regression/abi0-conflict/test_abi0_conflict 5 - LD_PRELOAD: ust app works
./regression/abi0-conflict/test_abi0_conflict: line 68: 592669 Aborted  
   (core dumped) LD_PRELOAD="${LIBFAKEUST0}" "${CURDIR}/app_ust" > 
"$STD_OUTPUT" 2> "$STD_ERROR"
ok 6 - LD_PRELOAD: ust app with abi0 preload fails
PASS: regression/abi0-conflict/test_abi0_conflict 6 - LD_PRELOAD: ust app with 
abi0 preload fails
./regression/abi0-conflict/test_abi0_conflict: line 71: 592683 Aborted  
   (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" "${CURDIR}/app_ust" 
> "$STD_OUTPUT" 2> "$STD_ERROR"
ok 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails
PASS: regression/abi0-conflict/test_abi0_conflict 7 - LD_PRELOAD: ust app with 
abi0 and abi1 preload fails
./regression/abi0-conflict/test_abi0_conflict: line 74: 592684 Aborted  
   (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" "${CURDIR}/app_ust" 
> "$STD_OUTPUT" 2> "$STD_ERROR"
ok 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails
PASS: regression/abi0-conflict/test_abi0_conflict 8 - LD_PRELOAD: ust app with 
abi1 and abi0 preload fails
# dlopen
# regression/abi0-conflict/test_abi0_conflict: dlopen
ok 9 - dlopen: no-ust app works
PASS: regression/abi0-conflict/test_abi0_conflict 9 - dlopen: no-ust app works
ok 10 - dlopen: no-ust app with abi1 and abi1 succeeds
PASS: regression/abi0-conflict/test_abi0_conflict 10 - dlopen: no-ust app with 
abi1 and abi1 succeeds
./regression/abi0-conflict/test_abi0_conflict: line 92: 592689 Aborted  
   (core dumped) LD_LIBRARY_PATH="$LIBFAKEUST0_PATH:$LIBUST1_PATH" 
"${CURDIR}/app_noust_dlopen" abi0_abi1 > "$STD_OUTPUT" 2> "$STD_ERROR"
ok 11 - dlopen: no-ust app with abi0 and abi1 fails
PASS: regression/abi0-conflict/test_abi0_conflict 11 - dlopen: no-ust app with 
abi0 and abi1 fails
not ok 12 - dlopen: no-ust app with abi1 and abi0 fails
FAIL: regression/abi0-conflict/test_abi0_conflict 12 - dlopen: no-ust app with 
abi1 and abi0 fails
#   Failed test 'dlopen: no-ust app with abi1 and abi0 fails'
# regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: no-ust app 
with abi1 and abi0 fails'
#   in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at 
line 300.
# regression/abi0-conflict/test_abi0_conflict: in 
/home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300.
#  got: '0'
# regression/abi0-conflict/test_abi0_conflict: got: '0'
# expected: '0'
# regression/abi0-conflict/test_abi0_conflict: expected: '0'
ok 13 - dlopen: ust app works
PASS: regression/abi0-conflict/test_abi0_conflict 13 - dlopen: ust app works
not ok 14 - dlopen: ust app with abi0 fails
FAIL: regression/abi0-conflict/test_abi0_conflict 14 - dlopen: ust app with 
abi0 fails
#   Failed test 'dlopen: ust app with abi0 fails'
# regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: ust app 
with abi0 fails'
#   in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at 
line 300.
# regression/abi0-conflict/test_abi0_conflict: in 

[Touch-packages] [Bug 1952242] Re: [jammy] missing rules for samba profile

2021-11-30 Thread Andreas Hasenack
While working on this bug, I noticed that not all built profiles are
being installed, and dh_missing is complaining. I filed
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952632 for
that, as I'm way too deep in this rabbit hole already.

** Changed in: apparmor (Ubuntu)
   Status: New => In Progress

** Changed in: apparmor (Ubuntu)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1952242

Title:
  [jammy] missing rules for samba profile

Status in apparmor package in Ubuntu:
  In Progress

Bug description:
  ubuntu jammy

  apparmor-profiles 3.0.3-0ubuntu3
  samba 2:4.13.5+dfsg-2ubuntu3

  smbd:
  Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon...
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586080] audit: type=1400 
audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" 
pid=1094 comm="smbd" capability=12  capname="net_admin"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586241] audit: type=1400 
audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592258] audit: type=1400 
audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592460] audit: type=1400 
audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592532] audit: type=1400 
audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" 
pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592683] audit: type=1400 
audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.600378] audit: type=1400 
audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0

  nmbd:
  Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon... 


  Nov 25 14:59:26 jammy-samba-apparmor kernel: [  196.718721] audit: type=1400 
audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" 
pid=1067 comm="nmbd" capability=1
  2  capname="net_admin"   

  
  The systemd notify one for smbd was first fixed for nmbd in 
https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd 
was missed.

  net_admin might be https://github.com/systemd/systemd/pull/10085, I
  didn't check if jammy's systemd has that patch (it should, since it's
  old)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1952632] [NEW] Some profiles installed but not included in debs

2021-11-29 Thread Andreas Hasenack
Public bug reported:

dh_missing is flagging some profiles that are installed by the Makefile,
but not included in debs:

$ cat ../build.log  | grep dh_missing | grep -v /local/ | grep etc/apparmor\\.d
dh_missing: warning: etc/apparmor.d/php-fpm exists in debian/tmp but is not 
installed to anywhere 
dh_missing: warning: etc/apparmor.d/tunables/ntpd exists in debian/tmp but is 
not installed to anywhere 
dh_missing: warning: etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 exists 
in debian/tmp but is not installed to anywhere 
dh_missing: warning: etc/apparmor.d/usr.lib.dovecot.stats exists in debian/tmp 
but is not installed to anywhere 
dh_missing: warning: etc/apparmor.d/usr.sbin.ntpd exists in debian/tmp but is 
not installed to anywhere 
dh_missing: warning: etc/apparmor.d/usr.sbin.winbindd exists in debian/tmp but 
is not installed to anywhere

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1952632

Title:
  Some profiles installed but not included in debs

Status in apparmor package in Ubuntu:
  New

Bug description:
  dh_missing is flagging some profiles that are installed by the
  Makefile, but not included in debs:

  $ cat ../build.log  | grep dh_missing | grep -v /local/ | grep 
etc/apparmor\\.d
  dh_missing: warning: etc/apparmor.d/php-fpm exists in debian/tmp but is not 
installed to anywhere 
  dh_missing: warning: etc/apparmor.d/tunables/ntpd exists in debian/tmp but is 
not installed to anywhere 
  dh_missing: warning: etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 
exists in debian/tmp but is not installed to anywhere 
  dh_missing: warning: etc/apparmor.d/usr.lib.dovecot.stats exists in 
debian/tmp but is not installed to anywhere 
  dh_missing: warning: etc/apparmor.d/usr.sbin.ntpd exists in debian/tmp but is 
not installed to anywhere 
  dh_missing: warning: etc/apparmor.d/usr.sbin.winbindd exists in debian/tmp 
but is not installed to anywhere

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952632/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1952242] Re: [jammy] missing rules for samba profile

2021-11-29 Thread Andreas Hasenack
I'm having to add the following just to allow samba to be started by systemd, 
and I'm still missing net_admin capa, which I'm reluctant to add:
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -24,12 +24,22 @@
   capability sys_resource,
   capability sys_tty_config,
 
+  # when started by systemd
+  ptrace read peer=unconfined,
+
   /etc/mtab r,
   /etc/netgroup r,
   /etc/printcap r,
   /etc/samba/* rwk,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
+
+  # https://gitlab.com/apparmor/apparmor/-/issues/203
+  # needed when smbd is started by systemd
+  @{PROC}/1/environ r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
@@ -51,6 +61,8 @@
   @{run}/samba/ncalrpc/ rw,
   @{run}/samba/ncalrpc/** rw,
   @{run}/samba/smbd.pid rw,
+  # when started by systemd
+  @{run}/systemd/notify w,
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,


With the above, I only get this alert now:
[Mon Nov 29 14:18:54 2021] audit: type=1400 audit(1638195535.664:42): 
apparmor="ALLOWED" operation="capable" profile="smbd" pid=1046 comm="smbd" 
capability=12  capname="net_admin"


And only when starting smbd with systemd. Looks like we will have to live with 
that one, if I understood the comments in the usptream bug correctly.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1952242

Title:
  [jammy] missing rules for samba profile

Status in apparmor package in Ubuntu:
  New

Bug description:
  ubuntu jammy

  apparmor-profiles 3.0.3-0ubuntu3
  samba 2:4.13.5+dfsg-2ubuntu3

  smbd:
  Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon...
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586080] audit: type=1400 
audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" 
pid=1094 comm="smbd" capability=12  capname="net_admin"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586241] audit: type=1400 
audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592258] audit: type=1400 
audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592460] audit: type=1400 
audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592532] audit: type=1400 
audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" 
pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592683] audit: type=1400 
audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.600378] audit: type=1400 
audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0

  nmbd:
  Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon... 


  Nov 25 14:59:26 jammy-samba-apparmor kernel: [  196.718721] audit: type=1400 
audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" 
pid=1067 comm="nmbd" capability=1
  2  capname="net_admin"   

  
  The systemd notify one for smbd was first fixed for nmbd in 
https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd 
was missed.

  net_admin might be https://github.com/systemd/systemd/pull/10085, I
  didn't check if jammy's systemd has that patch (it should, since it's
  old)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1952242] Re: [jammy] missing rules for samba profile

2021-11-26 Thread Andreas Hasenack
Related: https://gitlab.com/apparmor/apparmor/-/issues/203

** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #203
   https://gitlab.com/apparmor/apparmor/-/issues/203

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1952242

Title:
  [jammy] missing rules for samba profile

Status in apparmor package in Ubuntu:
  New

Bug description:
  ubuntu jammy

  apparmor-profiles 3.0.3-0ubuntu3
  samba 2:4.13.5+dfsg-2ubuntu3

  smbd:
  Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon...
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586080] audit: type=1400 
audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" 
pid=1094 comm="smbd" capability=12  capname="net_admin"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586241] audit: type=1400 
audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592258] audit: type=1400 
audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592460] audit: type=1400 
audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592532] audit: type=1400 
audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" 
pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592683] audit: type=1400 
audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.600378] audit: type=1400 
audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0

  nmbd:
  Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon... 


  Nov 25 14:59:26 jammy-samba-apparmor kernel: [  196.718721] audit: type=1400 
audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" 
pid=1067 comm="nmbd" capability=1
  2  capname="net_admin"   

  
  The systemd notify one for smbd was first fixed for nmbd in 
https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd 
was missed.

  net_admin might be https://github.com/systemd/systemd/pull/10085, I
  didn't check if jammy's systemd has that patch (it should, since it's
  old)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1952242] [NEW] [jammy] missing rules for samba profile

2021-11-25 Thread Andreas Hasenack
Public bug reported:

ubuntu jammy

apparmor-profiles 3.0.3-0ubuntu3
samba 2:4.13.5+dfsg-2ubuntu3

smbd:
Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon...
Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586080] audit: type=1400 
audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" 
pid=1094 comm="smbd" capability=12  capname="net_admin"
Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586241] audit: type=1400 
audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0
Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592258] audit: type=1400 
audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592460] audit: type=1400 
audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592532] audit: type=1400 
audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" 
pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592683] audit: type=1400 
audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.600378] audit: type=1400 
audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0

nmbd:
Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon...   

  
Nov 25 14:59:26 jammy-samba-apparmor kernel: [  196.718721] audit: type=1400 
audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" 
pid=1067 comm="nmbd" capability=1
2  capname="net_admin"   


The systemd notify one for smbd was first fixed for nmbd in 
https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd 
was missed.

net_admin might be https://github.com/systemd/systemd/pull/10085, I
didn't check if jammy's systemd has that patch (it should, since it's
old)

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1952242

Title:
  [jammy] missing rules for samba profile

Status in apparmor package in Ubuntu:
  New

Bug description:
  ubuntu jammy

  apparmor-profiles 3.0.3-0ubuntu3
  samba 2:4.13.5+dfsg-2ubuntu3

  smbd:
  Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon...
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586080] audit: type=1400 
audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" 
pid=1094 comm="smbd" capability=12  capname="net_admin"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.586241] audit: type=1400 
audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592258] audit: type=1400 
audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592460] audit: type=1400 
audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592532] audit: type=1400 
audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" 
pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined"
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.592683] audit: type=1400 
audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" 
name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  Nov 25 14:59:56 jammy-samba-apparmor kernel: [  227.600378] audit: type=1400 
audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" 
name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0

  nmbd:
  Nov 25 14:59:26 

[Touch-packages] [Bug 1892798] Re: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf

2021-11-23 Thread Andreas Hasenack
> Our kernel ships wireguard modules by default anyway, and one can
configure wireguard via networkd and soon via netplan. Which is our
default tooling to interact with the wireguard kernel module.

How should we generate the wireguard keys without `wg`? openssl? It's a
significant deviation from upstream and what you will find documented
out there, and puts the burden on us to make sure the keys were
correctly generated, with the correct entropy source, number of rounds
(if applicable), etc.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1892798

Title:
  systemd package missing resolvconf(8) compatibility symlink, and a
  Provides: resolvconf

Status in systemd package in Ubuntu:
  Won't Fix
Status in wireguard package in Ubuntu:
  Confirmed
Status in systemd package in Debian:
  Incomplete

Bug description:
  By default Ubuntu now uses systemd to manage the nameservers in
  resolv.conf, so resolvconf and openresolv seem to be redundant.
  However, it appears that systemd's resolvectl is compatable with
  resolvconf style commands if symlinked as resolvconf.

  I'm not really sure how deb packaging works, but if it possible to
  check for the resolvconf command, and if not found just symlink
  /usr/bin/resolvectl to /usr/sbin/resolvconf then wg-quick will work
  without additional packages.

  See
  
https://manpages.ubuntu.com/manpages/focal/man1/resolvectl.1#compatibility%20with%20resolvconf(8)
  for more info.

  Apologies if there is a better place to direct this info.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1892798/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1950370] [NEW] [bionic] userdel doesn't check for local users

2021-11-09 Thread Andreas Hasenack
Public bug reported:

Before trying to delete a user, userdel checks if the user exists. The
problem is that this check is done using getpwnam(), which will query
all nss sources from /etc/nsswitch.conf.

If a system has, for example, LDAP enabled, and userdel is called with
the name of a user that only exists in LDAP, it will pass that check,
and userdel will proceed and try to delete that user, which will
obviously fail.

That might not sound like a big deal, but it is. As part of the checks
it runs before deleting an user, it checks if there is any running
process owned by that user. This means that it will do a getpwnam() call
for each running process. On a busy machine, that can be thousands, and
each one will trigger an LDAP lookup. Oops.

Upstream fixed this in commit https://github.com/shadow-
maint/shadow/commit/2c57c399bf0d2f06dc8a8fed244ec80667a671f1

Focal and later have this upstream version and are not affected.

** Affects: shadow (Ubuntu)
 Importance: Undecided
 Status: Fix Released

** Affects: shadow (Ubuntu Bionic)
 Importance: Undecided
 Status: New

** Also affects: shadow (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: shadow (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1950370

Title:
  [bionic] userdel doesn't check for local users

Status in shadow package in Ubuntu:
  Fix Released
Status in shadow source package in Bionic:
  New

Bug description:
  Before trying to delete a user, userdel checks if the user exists. The
  problem is that this check is done using getpwnam(), which will query
  all nss sources from /etc/nsswitch.conf.

  If a system has, for example, LDAP enabled, and userdel is called with
  the name of a user that only exists in LDAP, it will pass that check,
  and userdel will proceed and try to delete that user, which will
  obviously fail.

  That might not sound like a big deal, but it is. As part of the checks
  it runs before deleting an user, it checks if there is any running
  process owned by that user. This means that it will do a getpwnam()
  call for each running process. On a busy machine, that can be
  thousands, and each one will trigger an LDAP lookup. Oops.

  Upstream fixed this in commit https://github.com/shadow-
  maint/shadow/commit/2c57c399bf0d2f06dc8a8fed244ec80667a671f1

  Focal and later have this upstream version and are not affected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1950370/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1946860] Re: Merge heimdal from Debian unstable for 22.04

2021-10-14 Thread Andreas Hasenack
** Changed in: heimdal (Ubuntu)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to heimdal in Ubuntu.
https://bugs.launchpad.net/bugs/1946860

Title:
  Merge heimdal from Debian unstable for 22.04

Status in heimdal package in Ubuntu:
  New

Bug description:
  Scheduled-For: 22.11
  Upstream: tbd
  Debian:   7.7.0+dfsg-2
  Ubuntu:   7.7.0+dfsg-2ubuntu2


  
  ### New Debian Changes ###

  heimdal (7.7.0+dfsg-2) unstable; urgency=medium

* Build using python3. Closes: #936695, #960032.

   -- Brian May   Tue, 12 May 2020 06:56:04 +1000

  heimdal (7.7.0+dfsg-1) unstable; urgency=medium

* New upstream version.
* Fix CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction
  was not being applied when processing protocol
  transition requests (S4U2Self), in the AD DC KDC. Closes: #946786.

   -- Brian May   Tue, 17 Dec 2019 20:23:41 +1100

  heimdal (7.5.0+dfsg-3) unstable; urgency=high

* CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum.
  Closes: #928966.
* CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT.
  Closes: #929064.
* Update test certificates to pre 2038 expiry. Closes: #923930.

   -- Brian May   Tue, 21 May 2019 18:04:35 +1000

  heimdal (7.5.0+dfsg-2.1) unstable; urgency=medium

* Non-maintainer upload
* Add patch to create headers before building (Closes: 906623)

   -- Hilko Bengen   Sun, 28 Oct 2018 15:10:44 +0100

  heimdal (7.5.0+dfsg-2) unstable; urgency=medium

* Replace 'MAXHOSTNAMELEN' with 'MaxHostNameLen' in kdc/kx509.c for The
  Hurd. Closes: #900079.

   -- Brian May   Sat, 02 Jun 2018 10:01:46 +1000

  heimdal (7.5.0+dfsg-1) unstable; urgency=high

* New upstream version. (Closes: #850723)
  + CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.4
(Closes: #878144, #868157)
  + Refresh patches.
* Bump Standards-Version to 4.1.2 and compat level to 10.
  + Remove explicit reference to dh-autoreconf.
* Use uscan to get orig source.
  + Refrain from mangling some bundled RFC texts;
just exclude the mas they are not installed into any binary anyway.
  + Update d/copyright to DEP-5.
  + Can now use standard uscan/gbp/pristine-tar workflow.
* Fix some lintian errors/warnings.
  + Strip trailing whitespace from changelog.
  + Fix some duplicate long descriptions.
  + Use optional priority everywhere.
  + Update/remove some overrides.
  + Enforce set -e in maintainer scripts.
  + Enable hardening.
* Migrate to -dbgsym.
* Add myself to uploaders.

   -- Dominik George   Fri, 15 Dec 2017 01:13:04
  +0100

  heimdal (7.4.0.dfsg.1-2) unstable; urgency=medium

[ Jelmer Vernooij ]
* Remove myself from uploaders.

[ Brian May ]
* Be explicit with heimdal.mkey filename in postinst. Closes: #868638.
* Tests should respect DEB_BUILD_OPTIONS=nocheck.  Closes: #868842.

   -- Brian May   Sun, 23 Jul 2017 10:32:34 +1000

  heimdal (7.4.0.dfsg.1-1) unstable; urgency=high

* New upstream version.
* Update standards version to 4.0.0.
* CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation.
  (Closes: #868208).

   -- Brian May   Sat, 15 Jul 2017 19:47:32 +1000

  heimdal (7.1.0+dfsg-13) unstable; urgency=medium

* Add missing symbols base64_decode and base64_encode back into
  libroken. Closes: #848694.

   -- Brian May   Wed, 26 Apr 2017 19:38:20 +1000

  heimdal (7.1.0+dfsg-12) unstable; urgency=high

* Fix transit path validation CVE-2017-6594.

   -- Brian May   Mon, 10 Apr 2017 17:21:35 +1000

  heimdal (7.1.0+dfsg-11) unstable; urgency=medium

* Remove legacy provides/conflicts/replaces headers. Old daemons


  ### Old Ubuntu Delta ###

  heimdal (7.7.0+dfsg-2ubuntu2) impish; urgency=medium

* Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226
  (LP: #1945787) 

   -- Heinrich Schuchardt   Fri, 01
  Oct 2021 15:03:02 +0200

  heimdal (7.7.0+dfsg-2ubuntu1) impish; urgency=medium

* Disable lto, to regain dep on roken, otherwise dependencies on amd64
  are different to i386 resulting in different files on amd64 and
  i386. LP: #1934936

   -- Dimitri John Ledkov   Tue, 20 Jul
  2021 10:32:53 +0100

  heimdal (7.7.0+dfsg-2build1) impish; urgency=medium

* No-change rebuild due to OpenLDAP soname bump.

   -- Sergio Durigan Junior   Mon, 21 Jun
  2021 17:48:49 -0400

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1946860/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl

2021-09-14 Thread Andreas Hasenack
Do we even know for sure this krb5-k5tls is enough for fips compliance,
and that it replaces *all* crypto code in kerberos with openssl calls?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1943530

Title:
  link libkrb5 with openssl

Status in krb5 package in Ubuntu:
  New

Bug description:
  In Ubuntu we provide a cryptographic core based on a small set of
  packages that we FIPS certify [0]. Applications and libraries should
  not bundle their own crypto code but should use the cryptographic core
  to benefit from the certification, but also importantly to reduce bugs
  due to small cryptographic libraries that that are not studied as much
  as more popular counterparts. This bug is to change libkrb5 to use the
  openssl crypto code instead of bundling its own on the next ubuntu
  release.

  [0]. https://ubuntu.com/security/fips

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option

2021-07-19 Thread Andreas Hasenack
For backports, a straight build of 1.6.2 would perhaps be enough. Might
not seem a version change big enough for backports, but as we have seen,
it does introduce a change of behavior that impacts existing firewall
scripts.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1791958

Title:
  iptables-restore is missing -w option

Status in iptables package in Ubuntu:
  Confirmed

Bug description:
  For CRIU we need to have iptables version 1.6.2 which includes the
  '-w' option in iptables-restore.

  This is a request to update iptables to 1.6.2 in 18.10 and if possible
  backport the necessary changes to 18.04.

  The CRIU project gets right now many bug reports (mostly in the
  combination LXD + CRIU) due to the missing '-w' option in iptables-
  restore. Especially as 18.04 will be around for some time it would be
  good to have iptables-restore available with '-w'.

  This is one example bug report: https://github.com/checkpoint-
  restore/criu/issues/551

  But not only CRIU would benefit from this change. It seems also
  problematic with Kubernetes:
  https://github.com/kubernetes/kubernetes/pull/60978

  So if possible, please update iptables to 1.6.2 (or backport changes)
  to support -w in iptables-restore.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1895302] Re: groovy debootstrap leaves /e/d/motd-news.wasremoved around

2021-07-16 Thread Andreas Hasenack
I retried testcase (b) in an up-to-date focal, and it still happens.
It's been a long while since I touched this package and I don't remember
the details anymore. Since I'm no longer working on this, I'll mark the
bug status accordingly.

** Changed in: base-files (Ubuntu Xenial)
   Status: In Progress => Confirmed

** Changed in: base-files (Ubuntu Bionic)
   Status: In Progress => Confirmed

** Changed in: base-files (Ubuntu Focal)
   Status: In Progress => Confirmed

** Changed in: base-files (Ubuntu Xenial)
 Assignee: Andreas Hasenack (ahasenack) => (unassigned)

** Changed in: base-files (Ubuntu Bionic)
     Assignee: Andreas Hasenack (ahasenack) => (unassigned)

** Changed in: base-files (Ubuntu Focal)
 Assignee: Andreas Hasenack (ahasenack) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1895302

Title:
  groovy debootstrap leaves /e/d/motd-news.wasremoved around

Status in base-files package in Ubuntu:
  Fix Released
Status in base-files source package in Xenial:
  Confirmed
Status in base-files source package in Bionic:
  Confirmed
Status in base-files source package in Focal:
  Confirmed

Bug description:
  [Impact]
  A fresh install of base-files, like done when using debootstrap, using the 
base-files from the -updates repository (in the case of ubuntu stable 
releases), will leave an empty /etc/default/motd-news.wasremoved file. This 
file is an artifact of the mechanism used to handle a corner case in the 
previous SRU where it would signal the motd-news-config package to install 
/etc/default/motd-news with ENABLED=0. See testcases (h) and (i) in the 
previous base-files SRU at 
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1888575 for details. 
In test case (i) it was acked that the empty .wasremoved file was lying around, 
but its impact was deemed not relevant (see [other info] item (a)).

  Another case where /etc/default/motd-news.wasremoved would be created
  when it shouldn't be is when you have just base-files installed (and
  no ubuntu-server or motd-news-config) and did a reinstall of base-
  files, or an upgrade. It would again touch /etc/default/motd-
  news.wasremoved.

  The consequence of having /etc/default/motd-news.wasremoved when it's
  unintended is that a follow-up install of ubuntu-server, or motd-news-
  config for that matter, will install /etc/default/motd-news with
  ENABLED=0 instead of ENABLED=1.

  This was the case of the groovy debootstrap which resulted in this bug
  being filed. While debootstrap won't mix multiple repositories (like
  release with updates), and thus this isn't easily a problem in
  released versions of ubuntu, the groovy case was the one that was
  doing a fresh install of base-files with the buggy touch
  /etc/default/motd-news.wasremoved, and a subsequent install of ubuntu-
  server left motd-news disabled in groovy images produced by such a
  method (debootstrap).

  These are the scenarios I was able to come up with in which a stable
  release could be affected by this bug:

  a) debootstrap with release and updates pocket enabled
  There are no config options that I'm aware of that would tell debootstrap to 
use multiple pockets when creating a chroot, but let's say it was done by 
hacking the script or something else. It would then be the same case as groovy 
until this fix: subsequent installations of ubuntu-server or motd-news-config 
would default to having motd-news disabled

  b) A system that has just base-files from the previous SRU installed,
  and no ubuntu-server and no motd-news-config. If base-files were
  updated again and without the fix presented here (let's say, another
  SRU instead of this one), it would create /etc/default/motd-
  news.wasremoved, and again, a subsequent install of ubuntu-server or
  motd-news-config would install motd-news in a disabled state

  c) Any other case where the postinst script of base-files is run again
  without the fix presented here, and when there is no
  /etc/default/motd-news{,.dpkg*} file present.

  To avoid creating /etc/default/motd-news.wasremoved when we shouldn't, the 
maintainer scripts were changed as follows:
  - motd-news-config postinst: always remove the .wasremoved file in configure 
if found, regardless if /etc/default/motd-news was sed'ed or not, or if we are 
upgrading or on a first install
  - base-files postinst: guard the creation of .wasremoved with:
    - Only during an upgrade
    - Only if ubuntu-server is installed (via a dpkg -l check)

  [Test Case]
  * On the system under test, remove motd-news-config and ubuntu-server if they 
are installed, and keep base-files from the update pocket. Something like this:
  sudo apt update && sudo apt dist-upgrade -y
  sudo apt purge motd-news-config ubuntu-server
  apt-cache policy base-files <-- to verify it's from 

[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option

2021-07-08 Thread Andreas Hasenack
I tested this last change, and it does exactly what we wanted for
iptables, the tool. And since that behavior is shared with all tools of
the iptables suite, it means iptables-restore got that fix too (good!),
but it also introduces a change in behavior for iptables-restore (bad!).

When compared to the bionic 1.6.1 iptables:
(a) straight backport from 1.6.2
- iptables loses the implicit -w parameter, meaning it will fail right away if 
it encounters the lock
- iptables-restore maintains the behavior, and grows the extra -w option

(b) massaged patches from comment #16
- iptables keeps the same behavior as in 1.6.1
- iptables-restore grows the implicit -w option, meaning it will block until 
the lock is released

The locking code is shared by all tools in one .c file. Making it behave
differently whether it's iptables or iptables-restore being used is
kumbersome, and would make ubuntu the only one with this behavior.

Alternatively, this bug has actually a very decent workaround: wrap
iptables-restore in flock. That's the same locking mechanism that
iptables itself does, just internally.

Quick example: you want iptables-restore -w 2 file.iptables

Use:
flock -w 2 -x /run/xtables.lock iptables-restore file.iptables

You can even augment that a bit with -E , and have flock return
 if the lock cannot be acquired in the specified amount of time.


Of the two patch sets, it feels like (b) introduces the less worse behavior 
change. Before iptables-restore would fail right away, now it can get stuck for 
as long as the lock is held. Which is the iptables behavior already. But it's 
still a change, and your script could stall for as long as the lock exists. You 
should change it to use -w .

Option (a) has the danger that if you are not checking for errors in
your script, one or more iptables calls could fail, and you wouldn't
notice, leaving your firewall incomplete. I think this is a dangerous
change.

Considering bionic is an LTS, and the existence of the flock workaround
which is exactly what the code itself does, what do you guys think about
this SRU? Should we pick a patch and go with it, or reject the change
and recommend the flock() alternative?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1791958

Title:
  iptables-restore is missing -w option

Status in iptables package in Ubuntu:
  Confirmed

Bug description:
  For CRIU we need to have iptables version 1.6.2 which includes the
  '-w' option in iptables-restore.

  This is a request to update iptables to 1.6.2 in 18.10 and if possible
  backport the necessary changes to 18.04.

  The CRIU project gets right now many bug reports (mostly in the
  combination LXD + CRIU) due to the missing '-w' option in iptables-
  restore. Especially as 18.04 will be around for some time it would be
  good to have iptables-restore available with '-w'.

  This is one example bug report: https://github.com/checkpoint-
  restore/criu/issues/551

  But not only CRIU would benefit from this change. It seems also
  problematic with Kubernetes:
  https://github.com/kubernetes/kubernetes/pull/60978

  So if possible, please update iptables to 1.6.2 (or backport changes)
  to support -w in iptables-restore.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option

2021-07-07 Thread Andreas Hasenack
Excellent progress Eric, thanks!

I'll give it a try.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1791958

Title:
  iptables-restore is missing -w option

Status in iptables package in Ubuntu:
  Confirmed

Bug description:
  For CRIU we need to have iptables version 1.6.2 which includes the
  '-w' option in iptables-restore.

  This is a request to update iptables to 1.6.2 in 18.10 and if possible
  backport the necessary changes to 18.04.

  The CRIU project gets right now many bug reports (mostly in the
  combination LXD + CRIU) due to the missing '-w' option in iptables-
  restore. Especially as 18.04 will be around for some time it would be
  good to have iptables-restore available with '-w'.

  This is one example bug report: https://github.com/checkpoint-
  restore/criu/issues/551

  But not only CRIU would benefit from this change. It seems also
  problematic with Kubernetes:
  https://github.com/kubernetes/kubernetes/pull/60978

  So if possible, please update iptables to 1.6.2 (or backport changes)
  to support -w in iptables-restore.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option

2021-06-29 Thread Andreas Hasenack
Thanks for the b3 version!

It restores the bionic implicit lock behavior (as if -w was given), but
when given a specific value, in the end it ignores that it couldn't
acquire the lock and moves on:


In all these tests, I have a lock held.

We have a chain called "andreas". See how -L waits 1 second as I requested, but 
moves on, listing the chain:
root@b1-iptables-restore-wait-lock:~# time iptables -L andreas -w 1
Chain andreas (0 references)
target prot opt source   destination

real0m1.005s
user0m0.004s
sys 0m0.000s

Now I delete the chain. This shouldn't work because another app is holding the 
lock:
root@b1-iptables-restore-wait-lock:~# time iptables -X andreas -w 1

real0m1.006s
user0m0.005s
sys 0m0.000s


Was it deleted? Let's list again, and it was:
root@b1-iptables-restore-wait-lock:~# time iptables -L andreas -w 1
iptables: No chain/target/match by that name.

real0m1.005s
user0m0.004s
sys 0m0.000s


root@b1-iptables-restore-wait-lock:~# apt-cache policy iptables
iptables:
  Installed: 1.6.1-2ubuntu2+testpkg20210629b3
  Candidate: 1.6.1-2ubuntu2+testpkg20210629b3
  Version table:
 *** 1.6.1-2ubuntu2+testpkg20210629b3 500
500 http://ppa.launchpad.net/slashd/lp1791958/ubuntu bionic/main amd64 
Packages

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1791958

Title:
  iptables-restore is missing -w option

Status in iptables package in Ubuntu:
  Confirmed

Bug description:
  For CRIU we need to have iptables version 1.6.2 which includes the
  '-w' option in iptables-restore.

  This is a request to update iptables to 1.6.2 in 18.10 and if possible
  backport the necessary changes to 18.04.

  The CRIU project gets right now many bug reports (mostly in the
  combination LXD + CRIU) due to the missing '-w' option in iptables-
  restore. Especially as 18.04 will be around for some time it would be
  good to have iptables-restore available with '-w'.

  This is one example bug report: https://github.com/checkpoint-
  restore/criu/issues/551

  But not only CRIU would benefit from this change. It seems also
  problematic with Kubernetes:
  https://github.com/kubernetes/kubernetes/pull/60978

  So if possible, please update iptables to 1.6.2 (or backport changes)
  to support -w in iptables-restore.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option

2021-06-28 Thread Andreas Hasenack
+1 for a backport, I don't think 1.6.2 is suitable for an SRU,
specifically about one change I noticed with test packages that I think
can break existing firewall scripts.

The locking code is shared between tools, so in 1.6.2, not only do we
get iptables-{save,restore} with -w support, but iptables itself changes
behavior.

When a lock is held, this is the current behavior in bionic:
root@b1-iptables-restore-wait-lock:~# time iptables -L
Another app is currently holding the xtables lock; still -9s 0us time ahead to 
have a chance to grab the lock...
Another app is currently holding the xtables lock; still -19s 0us time ahead to 
have a chance to grab the lock...
Another app is currently holding the xtables lock; still -29s 0us time ahead to 
have a chance to grab the lock...

Two things:
- there is an implied -w with no value, meaning infinite wait. Perhaps 
surprising, perhaps not.
- the time countdown is negative (bug)

In 1.6.2 and later, we have:
root@b1-iptables-restore-wait-lock:~# time iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the 
-w option?

real0m0.003s

Focal:
root@f1:~# time iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the 
-w option?

real0m0.003s
user0m0.004s
sys 0m0.000s
root@f1:~# iptables --version
iptables v1.8.4 (legacy)


It exits immediately. I can see this breaking existing firewall scripts that 
were up to now relying on the lock even without knowing it. They would be 
working with the bionic version, perhaps hitting the lock a few times, but with 
the updated version, as soon as the lock is hit, iptables exits. This means the 
script would have to be changed to add -w [n] to all iptables invocations, and 
I think that's unexpected for an update to an LTS release.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1791958

Title:
  iptables-restore is missing -w option

Status in iptables package in Ubuntu:
  Confirmed

Bug description:
  For CRIU we need to have iptables version 1.6.2 which includes the
  '-w' option in iptables-restore.

  This is a request to update iptables to 1.6.2 in 18.10 and if possible
  backport the necessary changes to 18.04.

  The CRIU project gets right now many bug reports (mostly in the
  combination LXD + CRIU) due to the missing '-w' option in iptables-
  restore. Especially as 18.04 will be around for some time it would be
  good to have iptables-restore available with '-w'.

  This is one example bug report: https://github.com/checkpoint-
  restore/criu/issues/551

  But not only CRIU would benefit from this change. It seems also
  problematic with Kubernetes:
  https://github.com/kubernetes/kubernetes/pull/60978

  So if possible, please update iptables to 1.6.2 (or backport changes)
  to support -w in iptables-restore.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1913810] Re: restart doesn't test for syntax errors

2021-05-03 Thread Andreas Hasenack
yeah, it's specifically restart that we want to check

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1913810

Title:
  restart doesn't test for syntax errors

Status in openssh package in Ubuntu:
  Confirmed

Bug description:
  Tested openssh on bionic and groovy, same issue.

  The switch to systemd lost the ability to do a sanity check on the
  config file (via sshd -t) before attempting to restart sshd. This was
  originally bug #624361 in the SySV days, fixed in the initscript back
  then.

  The sysv script still does it, but it's not used anymore:
   restart)
  check_privsep_dir
  check_config
  log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true

  
  And:
  check_config() {
  if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
  /usr/sbin/sshd $SSHD_OPTS -t || exit 1
  fi
  }

  
  The systemd service file has only ExecStartPre, which doesn't let it start if 
there is an error, but will happily stop it:
  [Unit]
  Description=OpenBSD Secure Shell server
  After=network.target auditd.service
  ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

  [Service]
  EnvironmentFile=-/etc/default/ssh
  ExecStartPre=/usr/sbin/sshd -t
  ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
  ExecReload=/usr/sbin/sshd -t
  ExecReload=/bin/kill -HUP $MAINPID
  ...

  Example:
  # sshd -t 
  
  # systemctl restart sshd  
  
  # telnet localhost 22 
  
  Trying 127.0.0.1...   
  
  Connected to localhost.   
  
  Escape character is '^]'. 
  
  SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3   
  
  ^]
  
  telnet> quit  
  
  Connection closed.
  

  
  # echo "syntax error" >> /etc/ssh/sshd_config 
  
  # sshd -t 
  
  /etc/ssh/sshd_config: line 123: Bad configuration option: syntax  
  
  /etc/ssh/sshd_config: terminating, 1 bad configuration options
  

  
  # systemctl restart sshd  
  
  Job for ssh.service failed because the control process exited with error 
code.  
  See "systemctl status ssh.service" and "journalctl -xe" for details.  
  

  
  # telnet localhost 22 
  
  Trying 127.0.0.1...   
  
  telnet: Unable to connect to remote host: Connection refused  
  
  #

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1913810/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 388605] Re: [MIR] rsyslog

2021-03-30 Thread Andreas Hasenack
Actually, Christian didn't explicitly ack the stable releases in that
comment (but he did in the MPs I raised for the seed changes). I'll ask
him tomorrow to flip the statuses.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/388605

Title:
  [MIR] rsyslog

Status in rsyslog package in Ubuntu:
  Fix Released
Status in rsyslog source package in Bionic:
  New
Status in rsyslog source package in Focal:
  New
Status in rsyslog source package in Groovy:
  New
Status in rsyslog source package in Hirsute:
  Fix Released

Bug description:
  Binary package hint: rsyslog

  We want to make rsyslog the new default syslogger.

  See https://wiki.ubuntu.com/MainInclusionReport/rsyslog

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 388605] Re: [MIR] rsyslog

2021-03-30 Thread Andreas Hasenack
Given Christian's comments in comment #6, and the fact that the seed
changes were done, I'm going to mark the tasks for the stable releases
as "fix committed"

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/388605

Title:
  [MIR] rsyslog

Status in rsyslog package in Ubuntu:
  Fix Released
Status in rsyslog source package in Bionic:
  New
Status in rsyslog source package in Focal:
  New
Status in rsyslog source package in Groovy:
  New
Status in rsyslog source package in Hirsute:
  Fix Released

Bug description:
  Binary package hint: rsyslog

  We want to make rsyslog the new default syslogger.

  See https://wiki.ubuntu.com/MainInclusionReport/rsyslog

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 388605] Re: [MIR] rsyslog

2021-03-25 Thread Andreas Hasenack
Meeting minutes: https://new.ubottu.com/meetingology/logs/ubuntu-
meeting/2021/ubuntu-meeting.2021-03-25-15.00.moin.txt

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/388605

Title:
  [MIR] rsyslog

Status in rsyslog package in Ubuntu:
  Fix Released
Status in rsyslog source package in Bionic:
  New
Status in rsyslog source package in Focal:
  New
Status in rsyslog source package in Groovy:
  New
Status in rsyslog source package in Hirsute:
  Fix Released

Bug description:
  Binary package hint: rsyslog

  We want to make rsyslog the new default syslogger.

  See https://wiki.ubuntu.com/MainInclusionReport/rsyslog

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 388605] Re: [MIR] rsyslog

2021-03-25 Thread Andreas Hasenack
I'll provide MPs for bionic, focal and groovy to change the seeds to
pull rsyslog-gnutls into main, as discussed in #ubuntu-meeting with
Foundations today, and then ping an archive admin.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/388605

Title:
  [MIR] rsyslog

Status in rsyslog package in Ubuntu:
  Fix Released
Status in rsyslog source package in Bionic:
  New
Status in rsyslog source package in Focal:
  New
Status in rsyslog source package in Groovy:
  New
Status in rsyslog source package in Hirsute:
  Fix Released

Bug description:
  Binary package hint: rsyslog

  We want to make rsyslog the new default syslogger.

  See https://wiki.ubuntu.com/MainInclusionReport/rsyslog

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 388605] Re: [MIR] rsyslog

2021-03-23 Thread Andreas Hasenack
We would like to retroactively promote rsyslog-gnutls, a binary package
built from src:rsyslog (subject of this completed MIR), into main.

rsyslog-gnutls provides a gnutls plugin which allows rsyslog to encrypt
the data it sends to log servers. We believe this is a common scenario,
and very much needed for compliance nowadays, and this package should be
in main because of that.

rsyslog-gnutls was already part of this MIR, but was left in universe
because nothing pulled it into main (dependency or seed change).

I didn't see any comments here in the bug, or in the MIR report
(https://wiki.ubuntu.com/MainInclusionReport/rsyslog), that would be
specific about rsyslog-gnutls and why it should not be promoted. There
was just a list of dependencies, and they were ok for main inclusion,
and remain so to this date:

bionic: 8.32.0-1ubuntu4
Depends: libc6 (>= 2.14), libgnutls30 (>= 3.5.6), rsyslog (= 8.32.0-1ubuntu4)
Suggests: gnutls-bin

Depends are all in main, and Suggests is in universe, which is ok.


focal: 8.2001.0-1ubuntu1.1
Depends: libc6 (>= 2.14), libgnutls30 (>= 3.6.12), rsyslog (= 
8.2001.0-1ubuntu1.1)
Suggests: gnutls-bin

Same deps.


groovy: 8.2006.0-2ubuntu1
Depends: libc6 (>= 2.14), libgnutls30 (>= 3.6.12), rsyslog (= 8.2006.0-2ubuntu1)
Suggests: gnutls-bin

Same deps.


Hirsute: 8.2102.0-2ubuntu1
Depends: libc6 (>= 2.33), libgnutls30 (>= 3.7.0), rsyslog (= 8.2102.0-2ubuntu1)
Suggests: gnutls-bin

Same deps.


List of rsyslog CVEs in the Ubuntu CVE tracker: 
https://ubuntu.com/security/cve?q==rsyslog===
None are related to encryption support.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/388605

Title:
  [MIR] rsyslog

Status in rsyslog package in Ubuntu:
  Fix Released
Status in rsyslog source package in Bionic:
  New
Status in rsyslog source package in Focal:
  New
Status in rsyslog source package in Groovy:
  New
Status in rsyslog source package in Hirsute:
  Fix Released

Bug description:
  Binary package hint: rsyslog

  We want to make rsyslog the new default syslogger.

  See https://wiki.ubuntu.com/MainInclusionReport/rsyslog

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 388605] Re: [MIR] rsyslog

2021-03-23 Thread Andreas Hasenack
** Also affects: rsyslog (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: rsyslog (Ubuntu Groovy)
   Importance: Undecided
   Status: New

** Also affects: rsyslog (Ubuntu Hirsute)
   Importance: Undecided
 Assignee: Kees Cook (kees)
   Status: Fix Released

** Also affects: rsyslog (Ubuntu Focal)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/388605

Title:
  [MIR] rsyslog

Status in rsyslog package in Ubuntu:
  Fix Released
Status in rsyslog source package in Bionic:
  New
Status in rsyslog source package in Focal:
  New
Status in rsyslog source package in Groovy:
  New
Status in rsyslog source package in Hirsute:
  Fix Released

Bug description:
  Binary package hint: rsyslog

  We want to make rsyslog the new default syslogger.

  See https://wiki.ubuntu.com/MainInclusionReport/rsyslog

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1913187] Re: iproute2 segfaults when filtering sockets

2021-02-25 Thread Andreas Hasenack
postgresql-common amd64 and i386: passed after a retry
ubuntu-fan: see previous comment, known flaky test, and analysis of the test 
output shows that the test actually passed. I retried both amd64 and s390x, but 
I ask the SRU team to consider those runs green if they failed again (update: 
amd64 just passed, s390x still pending results).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iproute2 in Ubuntu.
https://bugs.launchpad.net/bugs/1913187

Title:
  iproute2 segfaults when filtering sockets

Status in iproute2 package in Ubuntu:
  Fix Released
Status in iproute2 source package in Bionic:
  Fix Committed

Bug description:
  [Impact]

   * The ss tool crashes when a query returns no results (seg fault)

  [Test Case]

   * $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 
127.0.0.1
  Segmentation fault

   * PPA with the fix:
  https://launchpad.net/~rafaeldtinoco/+archive/ubuntu/lp1913187

  [Where problems could occur]

   * The ss tool is impacted and it has its code changed for the fix.

   * The fix is a clean cherry-pick and straightforward (moving
  declaration after a NULL check).

  [Other Info]

  When in Ubuntu Bionic, if one calls:

  $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1
  tcp  00   
127.0.0.1:58910 127.0.0.1:22   
users:(("ssh",pid=11672,fd=3)) timer:(keepalive,119min,0)

  it works. Just like when in Groovy:

  $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1
  tcp   00  
127.0.0.1:58908 127.0.0.1:22   
users:(("ssh",pid=1488591,fd=3)) timer:(keepalive,119min,0)

  but.. if there is nothing to show, in Bionic we get a segfault:

  $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1
  Segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iproute2/+bug/1913187/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1913187] Re: iproute2 segfaults when filtering sockets

2021-02-25 Thread Andreas Hasenack
ubuntu-fan dep8 failures are due to
https://bugs.launchpad.net/ubuntu/+source/ubuntu-fan/+bug/1830180. It
was fixed in focal+, but in bionic it remains flaky. Explanation is in
https://bugs.launchpad.net/ubuntu/+source/ubuntu-
fan/+bug/1830180/comments/1

I'll retry it once or twice, but we can see from the test output that the test 
worked, and the stderr text is just noise that happened because systemd-resolve 
was called too soon:
Starting fanatic-test
lxd test: Waiting for addresses on eth0 ...
lxd test: Waiting for addresses on eth0 ...
lxd test: Waiting for addresses on eth0 ...
lxd test: Waiting for addresses on eth0 ...
lxd test: Waiting for addresses on eth0 ...
slave: detected primary route through eth0
sd_bus_open_system: No such file or directory <-- too soon
slave: waiting for systemd resolver...
slave: DNS: systemd(250.40.8.1) <--- now it worked, and the test continues
...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iproute2 in Ubuntu.
https://bugs.launchpad.net/bugs/1913187

Title:
  iproute2 segfaults when filtering sockets

Status in iproute2 package in Ubuntu:
  Fix Released
Status in iproute2 source package in Bionic:
  Fix Committed

Bug description:
  [Impact]

   * The ss tool crashes when a query returns no results (seg fault)

  [Test Case]

   * $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 
127.0.0.1
  Segmentation fault

   * PPA with the fix:
  https://launchpad.net/~rafaeldtinoco/+archive/ubuntu/lp1913187

  [Where problems could occur]

   * The ss tool is impacted and it has its code changed for the fix.

   * The fix is a clean cherry-pick and straightforward (moving
  declaration after a NULL check).

  [Other Info]

  When in Ubuntu Bionic, if one calls:

  $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1
  tcp  00   
127.0.0.1:58910 127.0.0.1:22   
users:(("ssh",pid=11672,fd=3)) timer:(keepalive,119min,0)

  it works. Just like when in Groovy:

  $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1
  tcp   00  
127.0.0.1:58908 127.0.0.1:22   
users:(("ssh",pid=1488591,fd=3)) timer:(keepalive,119min,0)

  but.. if there is nothing to show, in Bionic we get a segfault:

  $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1
  Segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iproute2/+bug/1913187/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1913810] [NEW] restart doesn't test for syntax errors

2021-01-29 Thread Andreas Hasenack
Public bug reported:

Tested openssh on bionic and groovy, same issue.

The switch to systemd lost the ability to do a sanity check on the
config file (via sshd -t) before attempting to restart sshd. This was
originally bug #624361 in the SySV days, fixed in the initscript back
then.

The sysv script still does it, but it's not used anymore:
 restart)
check_privsep_dir
check_config
log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true


And:
check_config() {
if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
/usr/sbin/sshd $SSHD_OPTS -t || exit 1
fi
}


The systemd service file has only ExecStartPre, which doesn't let it start if 
there is an error, but will happily stop it:
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
...

Example:
# sshd -t   
# systemctl restart sshd
# telnet localhost 22   
Trying 127.0.0.1... 
Connected to localhost. 
Escape character is '^]'.   
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 
^]  
telnet> quit
Connection closed.  

# echo "syntax error" >> /etc/ssh/sshd_config   
# sshd -t   
/etc/ssh/sshd_config: line 123: Bad configuration option: syntax
/etc/ssh/sshd_config: terminating, 1 bad configuration options  

# systemctl restart sshd
Job for ssh.service failed because the control process exited with error code.  
See "systemctl status ssh.service" and "journalctl -xe" for details.

# telnet localhost 22   
Trying 127.0.0.1... 
telnet: Unable to connect to remote host: Connection refused
#

** Affects: openssh (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1913810

Title:
  restart doesn't test for syntax errors

Status in openssh package in Ubuntu:
  New

Bug description:
  Tested openssh on bionic and groovy, same issue.

  The switch to systemd lost the ability to do a sanity check on the
  config file (via sshd -t) before attempting to restart sshd. This was
  originally bug #624361 in the SySV days, fixed in the initscript back
  then.

  The sysv script still does it, but it's not used anymore:
   restart)
  check_privsep_dir
  check_config
  log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true

  
  And:
  check_config() {
  if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
  /usr/sbin/sshd $SSHD_OPTS -t || exit 1
  fi
  }

  
  The systemd service file has only ExecStartPre, which doesn't let it start if 
there is an error, but will happily stop it:
  [Unit]
  Description=OpenBSD Secure Shell server
  After=network.target auditd.service
  ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

  [Service]
  EnvironmentFile=-/etc/default/ssh
  ExecStartPre=/usr/sbin/sshd -t
  ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
  ExecReload=/usr/sbin/sshd -t
  ExecReload=/bin/kill -HUP $MAINPID
  ...

  Example:
  # sshd -t 
  
  # systemctl restart sshd  
  
  # telnet localhost 22 
  
  Trying 127.0.0.1...   
  
  Connected to localhost.   
  
  Escape character is '^]'. 
  
  SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3   
  
  ^]   

[Touch-packages] [Bug 1899218] Re: Incorrect warning from apparmor_parser on force complained profiles

2021-01-27 Thread Andreas Hasenack
Just saw this in bionic, I guess it's not important enough for an SRU?

# apparmor_parser -r -T -W --Complain /etc/apparmor.d/pam_roles 
/etc/apparmor.d/usr.sbin.sshd
Warning failed to create cache: pam_roles
Warning failed to create cache: usr.sbin.sshd

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1899218

Title:
  Incorrect warning from apparmor_parser on force complained profiles

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  apparmor_parser on a force complained profile produces an incorrect
  warning message:

  $ sudo apparmor_parser -rW /etc/apparmor.d/usr.sbin.sssd
  Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing 
complain mode
  Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd 
line 54): Warning failed to create cache: usr.sbin.sssd

  Even though not generating the cache at all is expected, the warning
  should describe caching is disabled for force complained profiles
  instead of failure to create it.

  $ lsb_release -rd
  Description:  Ubuntu Groovy Gorilla (development branch)
  Release:  20.10

  $ apt-cache policy apparmor
  apparmor:
    Installed: 3.0.0~beta1-0ubuntu6
    Candidate: 3.0.0~beta1-0ubuntu6
    Version table:
   *** 3.0.0~beta1-0ubuntu6 500
  500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
  100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899218/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-25 Thread Andreas Hasenack
TL;DR verification-succeeded

Ok, so here are the details.

I have two vms: one called orig-audit-bionic, the other called sru-
audit-bionic, where I ran the script from comment #23 over the weekend
in multiple scenarios. With auditd-1:2.8.2-1ubuntu1, the bug is
reproduced after a few hours, whereas with 1:2.8.2-1ubuntu1.1 I had it
running over 36h in one case with no failure.

a) orig-audit-bionic
Installed with the original auditd-1:2.8.2-1ubuntu1, I had two runs to verify 
the failure:
a.1) First run
started at Fri Jan 22 19:20:29 UTC 2021
failed at  Fri Jan 22 22:43:51 UTC 2021
Jan 22 22:43:51 orig-audit-bionic systemd[1]: Starting Security Auditing 
Service...
Jan 22 22:43:51 orig-audit-bionic auditd[24058]: Started dispatcher: 
/sbin/audispd pid: 24060
Jan 22 22:43:51 orig-audit-bionic audispd: No plugins found, exiting
Jan 22 22:45:21 orig-audit-bionic systemd[1]: auditd.service: Start operation 
timed out. Terminating.


a.2) Second run, same package
started at Sat Jan 23 14:30:11 UTC 2021
failed at  Sat Jan 23 21:35:20 UTC 2021
Jan 23 21:35:20 orig-audit-bionic systemd[1]: Starting Security Auditing 
Service...
Jan 23 21:35:20 orig-audit-bionic auditd[7794]: Started dispatcher: 
/sbin/audispd pid: 7796
Jan 23 21:35:20 orig-audit-bionic audispd: No plugins found, exiting
Jan 23 21:36:50 orig-audit-bionic systemd[1]: auditd.service: Start operation 
timed out. Terminating.

I then upgraded the auditd package to 1:2.8.2-1ubuntu1.1, and started another 
run:
started at  Sat Jan 23 23:54:35 UTC 2021
manually aborted at Mon Jan 25 12:23:42 UTC 2021
No failure.

b) sru-audit-bionic
Installed the original auditd-1:2.8.2-1ubuntu1, and upgraded it straight away 
to 1:2.8.2-1ubuntu1.1. Then started the script.
started at  Fri Jan 22 19:23:38 UTC 2021
manually aborted at Sun Jan 24 18:53:09 UTC 2021
No failure.

I then downgraded the auditd package back to auditd-1:2.8.2-1ubuntu1 and ran 
the script again.
started at Sun Jan 24 19:00:56 UTC 2021
failed at  Sun Jan 24 23:32:58 UTC 2021
Jan 24 23:32:58 sru-audit-bionic systemd[1]: Starting Security Auditing 
Service...
Jan 24 23:32:58 sru-audit-bionic auditd[11439]: Started dispatcher: 
/sbin/audispd pid: 11441
Jan 24 23:32:58 sru-audit-bionic audispd: No plugins found, exiting
Jan 24 23:34:28 sru-audit-bionic systemd[1]: auditd.service: Start operation 
timed out. Terminating.


Full logs attached as tarballs for, heh, audit purposes :)


** Attachment added: "audit-sru-1848330.tar.xz"
   
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1848330/+attachment/5456640/+files/audit-sru-1848330.tar.xz

** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Fix Released
Status in audit source package in Bionic:
  Fix Committed
Status in audit package in Debian:
  New

Bug description:
  [Impact]

  Sometimes, auditd will get stuck when starting up, causing systemd to
  kill it after a while since it (systemd) never got the start
  notification.

  Upstream troubleshooted this to be caused by calling a syslog()
  function inside a signal handler.

  [Test Case]
  There is no reliable test case to reproduce the bug, other than trying the 
fixed packages on an affected system where the hang occurs more frequently.

  Basically:
  sudo systemctl stop auditd
  sudo systemctl start auditd

  should work reliably. Do not run that in a tight loop, however, as
  that will trigger a it's-restarting-too-frequently failure.

  [Where problems could occur]
  - if auditd fails to start, then the first fallback is syslog, and if that is 
not picking up the audit messages, the last resort is the kernel buffer, which 
can fill up. In the case it fills up, audit logs will be lost.

  - it's possible to configure the audit system to panic() the machine
  if audit messages are lost or otherwise not able to be recorded
  (auditctl -f 2; default is 1 which is printk())

  - the update restarts auditd as expected. Misconfiguration on very
  very busy systems could mean that audit logs would be lost during the
  brief moment the service is restarted. If that's the case, this update
  would just be one more way to trigger it, but not be the root cause of
  the problem

  - similarly, as is usual with updates that restart services, it's
  possible than an incorrect configuration for auditd is present, but
  was never loaded before. The restart will load the config, and will
  fail in such a case.

  - this update removes a logging statement that occurs during startup:

  ("dispatcher %d reaped", pid)

  It's unlikely, but possible, that some monitoring software could be
  looking for that message in the logs. It won't be there anymore after
  this update.

  [Other Info]

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-23 Thread Andreas Hasenack
I prepared two bionic instances to run over the weekend.

One is running auditd from bionic, and the other is running the SRU
proposed package.

I have auditd being restarted via this script in both (just the email message 
is different, to say which package it was):
#!/bin/bash

result=0

while /bin/true; do
date
sudo systemctl restart auditd || result=$?
if [ "$result" -ne "0" ]; then
echo "FAILED, result=$result"
break
fi
pid=$(pidof auditd) || result=$?
if [ "$result" -ne "0" ]; then
echo "FAILED, auditd not running"
break
fi
echo "auditd pid = $pid"
sleep 2
echo
done
mail -s "ALERT: audit orig test failed" andr...@canonical.com < reaped" isn't shown, which
is exactly the bug: auditd hangs while trying to log that message inside
a signal handler.

So, looking good. Let's see if I can get another failure.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Fix Released
Status in audit source package in Bionic:
  Fix Committed
Status in audit package in Debian:
  New

Bug description:
  [Impact]

  Sometimes, auditd will get stuck when starting up, causing systemd to
  kill it after a while since it (systemd) never got the start
  notification.

  Upstream troubleshooted this to be caused by calling a syslog()
  function inside a signal handler.

  [Test Case]
  There is no reliable test case to reproduce the bug, other than trying the 
fixed packages on an affected system where the hang occurs more frequently.

  Basically:
  sudo systemctl stop auditd
  sudo systemctl start auditd

  should work reliably. Do not run that in a tight loop, however, as
  that will trigger a it's-restarting-too-frequently failure.

  [Where problems could occur]
  - if auditd fails to start, then the first fallback is syslog, and if that is 
not picking up the audit messages, the last resort is the kernel buffer, which 
can fill up. In the case it fills up, audit logs will be lost.

  - it's possible to configure the audit system to panic() the machine
  if audit messages are lost or otherwise not able to be recorded
  (auditctl -f 2; default is 1 which is printk())

  - the update restarts auditd as expected. Misconfiguration on very
  very busy systems could mean that audit logs would be lost during the
  brief moment the service is restarted. If that's the case, this update
  would just be one more way to trigger it, but not be the root cause of
  the problem

  - similarly, as is usual with updates that restart services, it's
  possible than an incorrect configuration for auditd is present, but
  was never loaded before. The restart will load the config, and will
  fail in such a case.

  - this update removes a logging statement that occurs during startup:

  ("dispatcher %d reaped", pid)

  It's unlikely, but possible, that some monitoring software could be
  looking for that message in the logs. It won't be there anymore after
  this update.

  [Other Info]
  The patch is committed upstream and part of the 2.8.5 release, which is 
present in Focal and later.
  The real fix for this bug is just dropping the audit_msg() call in the signal 
handler code. But the original reporter of the bug, who is also who came up 
with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) 
stated that with the 3 changes in the patch the startup hang didn't happen to 
him anymore. Since this bug is difficult to reproduce elsewhere (either you 
have it, or you don't), I chose to keep the 3 changes instead of just the 
removal of the audit_msg() call.

  [Original Description]

  This happens sometimes when installing auditd on Ubuntu 18.04.2, most
  installations work successfully, though. Re-running the install also
  fixes the issue, but the failure breaks our automation. The log from
  the failure looks like this:

  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
   Docs: man:auditd(8)
     https://github.com/linux-audit/audit-documentation
    Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)

  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-22 Thread Andreas Hasenack
Dr. Harbott, would you be able to test the new audit packages in bionic-
proposed? The SRU team is reluctant to approve this update without some
sort of confirmation that it fixes the bug, and I haven't been able to
reproduce it myself.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Fix Released
Status in audit source package in Bionic:
  Fix Committed
Status in audit package in Debian:
  New

Bug description:
  [Impact]

  Sometimes, auditd will get stuck when starting up, causing systemd to
  kill it after a while since it (systemd) never got the start
  notification.

  Upstream troubleshooted this to be caused by calling a syslog()
  function inside a signal handler.

  [Test Case]
  There is no reliable test case to reproduce the bug, other than trying the 
fixed packages on an affected system where the hang occurs more frequently.

  Basically:
  sudo systemctl stop auditd
  sudo systemctl start auditd

  should work reliably. Do not run that in a tight loop, however, as
  that will trigger a it's-restarting-too-frequently failure.

  [Where problems could occur]
  - if auditd fails to start, then the first fallback is syslog, and if that is 
not picking up the audit messages, the last resort is the kernel buffer, which 
can fill up. In the case it fills up, audit logs will be lost.

  - it's possible to configure the audit system to panic() the machine
  if audit messages are lost or otherwise not able to be recorded
  (auditctl -f 2; default is 1 which is printk())

  - the update restarts auditd as expected. Misconfiguration on very
  very busy systems could mean that audit logs would be lost during the
  brief moment the service is restarted. If that's the case, this update
  would just be one more way to trigger it, but not be the root cause of
  the problem

  - similarly, as is usual with updates that restart services, it's
  possible than an incorrect configuration for auditd is present, but
  was never loaded before. The restart will load the config, and will
  fail in such a case.

  - this update removes a logging statement that occurs during startup:

  ("dispatcher %d reaped", pid)

  It's unlikely, but possible, that some monitoring software could be
  looking for that message in the logs. It won't be there anymore after
  this update.

  [Other Info]
  The patch is committed upstream and part of the 2.8.5 release, which is 
present in Focal and later.
  The real fix for this bug is just dropping the audit_msg() call in the signal 
handler code. But the original reporter of the bug, who is also who came up 
with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) 
stated that with the 3 changes in the patch the startup hang didn't happen to 
him anymore. Since this bug is difficult to reproduce elsewhere (either you 
have it, or you don't), I chose to keep the 3 changes instead of just the 
removal of the audit_msg() call.

  [Original Description]

  This happens sometimes when installing auditd on Ubuntu 18.04.2, most
  installations work successfully, though. Re-running the install also
  fixes the issue, but the failure breaks our automation. The log from
  the failure looks like this:

  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
   Docs: man:auditd(8)
     https://github.com/linux-audit/audit-documentation
    Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)

  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 
/sbin/audispd pid: 9705
  Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
  Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation 
timed out. Terminating.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 
'stop-sigterm' timed out. Killing.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9702 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9703 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process 
exited, code=killed status=9
  Sep 17 18:43:06 

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-18 Thread Andreas Hasenack
Since it's difficult to reproduce the bug, what I'm going to do is setup
a system with the previous auditd, setup some rules, confirm they are
working, then upgrade, and confirm it keeps working, also after a
reboot.


# Bionic verification

auditd from bionic:
auditd:
  Installed: 1:2.8.2-1ubuntu1
  Candidate: 1:2.8.2-1ubuntu1
  Version table:
 *** 1:2.8.2-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Created a simple rule:
#  cat /etc/audit/rules.d/30-shadow.rules 
-w /etc/shadow -p wa -k shadow-changed

Loaded after restart:
# auditctl -l
-w /etc/shadow -p wa -k shadow-changed

Confirmed a change to the file gets logged:
# chmod 0400 /etc/shadow
#

/var/log/audit/auditd.log (parsed with ausearch -i):
type=PROCTITLE msg=audit(01/18/21 17:49:31.077:32) : proctitle=chmod 0400 
/etc/shadow 
type=PATH msg=audit(01/18/21 17:49:31.077:32) : item=0 name=/etc/shadow 
inode=64070 dev=fc:01 mode=file,640 ouid=root ogid=shadow rdev=00:00 
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(01/18/21 17:49:31.077:32) : cwd=/root 
type=SYSCALL msg=audit(01/18/21 17:49:31.077:32) : arch=x86_64 syscall=fchmodat 
success=yes exit=0 a0=0xff9c a1=0x5577580dc1c0 a2=0400 a3=0x0 items=1 
ppid=1499 pid=1992 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chmod exe=/bin/chmod 
key=shadow-changed


Now updating the package:
# apt-cache policy auditd
auditd:
  Installed: 1:2.8.2-1ubuntu1.1
  Candidate: 1:2.8.2-1ubuntu1.1
  Version table:
 *** 1:2.8.2-1ubuntu1.1 500
500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 
Packages
100 /var/lib/dpkg/status
 1:2.8.2-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

(and its deps, like libaudit1, etc).

The same rule continues loaded:
# auditctl -l
-w /etc/shadow -p wa -k shadow-changed

Also after a manual restart:
# systemctl restart auditd
# auditctl -l
-w /etc/shadow -p wa -k shadow-changed

And changing /etc/shadow is logged (let's use 0640 this time):
# chmod 0640 /etc/shadow
#

log:
type=PROCTITLE msg=audit(01/18/21 17:54:51.942:56) : proctitle=chmod 0640 
/etc/shadow 
type=PATH msg=audit(01/18/21 17:54:51.942:56) : item=0 name=/etc/shadow 
inode=64070 dev=fc:01 mode=file,400 ouid=root ogid=shadow rdev=00:00 
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(01/18/21 17:54:51.942:56) : cwd=/root 
type=SYSCALL msg=audit(01/18/21 17:54:51.942:56) : arch=x86_64 syscall=fchmodat 
success=yes exit=0 a0=0xff9c a1=0x563ae04471c0 a2=0640 a3=0x0 items=1 
ppid=1499 pid=2845 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chmod exe=/bin/chmod 
key=shadow-changed 


I then rebooted the system, performed the same tests, and got the same results 
with the updated package.

It would be great if people who were affected by this bug, and can
reasonably reproduce it, could test the packages from proposed. In the
meantime, I'll mark this as verification succeeded.


** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Fix Released
Status in audit source package in Bionic:
  Fix Committed
Status in audit package in Debian:
  New

Bug description:
  [Impact]

  Sometimes, auditd will get stuck when starting up, causing systemd to
  kill it after a while since it (systemd) never got the start
  notification.

  Upstream troubleshooted this to be caused by calling a syslog()
  function inside a signal handler.

  [Test Case]
  There is no reliable test case to reproduce the bug, other than trying the 
fixed packages on an affected system where the hang occurs more frequently.

  Basically:
  sudo systemctl stop auditd
  sudo systemctl start auditd

  should work reliably. Do not run that in a tight loop, however, as
  that will trigger a it's-restarting-too-frequently failure.

  [Where problems could occur]
  - if auditd fails to start, then the first fallback is syslog, and if that is 
not picking up the audit messages, the last resort is the kernel buffer, which 
can fill up. In the case it fills up, audit logs will be lost.

  - it's possible to configure the audit system to panic() the machine
  if audit messages are lost or otherwise not able to be recorded
  (auditctl -f 2; default is 1 which is printk())

  - the update restarts auditd as expected. Misconfiguration on very
  very busy systems could mean that audit logs would be lost during the
  brief moment the service is restarted. If that's the case, this update
  would just be one more way to trigger it, but not be the root cause of
  

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-16 Thread Andreas Hasenack
All regressions have been resolved after some retries.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Fix Released
Status in audit source package in Bionic:
  Fix Committed
Status in audit package in Debian:
  New

Bug description:
  [Impact]

  Sometimes, auditd will get stuck when starting up, causing systemd to
  kill it after a while since it (systemd) never got the start
  notification.

  Upstream troubleshooted this to be caused by calling a syslog()
  function inside a signal handler.

  [Test Case]
  There is no reliable test case to reproduce the bug, other than trying the 
fixed packages on an affected system where the hang occurs more frequently.

  Basically:
  sudo systemctl stop auditd
  sudo systemctl start auditd

  should work reliably. Do not run that in a tight loop, however, as
  that will trigger a it's-restarting-too-frequently failure.

  [Where problems could occur]
  - if auditd fails to start, then the first fallback is syslog, and if that is 
not picking up the audit messages, the last resort is the kernel buffer, which 
can fill up. In the case it fills up, audit logs will be lost.

  - it's possible to configure the audit system to panic() the machine
  if audit messages are lost or otherwise not able to be recorded
  (auditctl -f 2; default is 1 which is printk())

  - the update restarts auditd as expected. Misconfiguration on very
  very busy systems could mean that audit logs would be lost during the
  brief moment the service is restarted. If that's the case, this update
  would just be one more way to trigger it, but not be the root cause of
  the problem

  - similarly, as is usual with updates that restart services, it's
  possible than an incorrect configuration for auditd is present, but
  was never loaded before. The restart will load the config, and will
  fail in such a case.

  - this update removes a logging statement that occurs during startup:

  ("dispatcher %d reaped", pid)

  It's unlikely, but possible, that some monitoring software could be
  looking for that message in the logs. It won't be there anymore after
  this update.

  [Other Info]
  The patch is committed upstream and part of the 2.8.5 release, which is 
present in Focal and later.
  The real fix for this bug is just dropping the audit_msg() call in the signal 
handler code. But the original reporter of the bug, who is also who came up 
with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) 
stated that with the 3 changes in the patch the startup hang didn't happen to 
him anymore. Since this bug is difficult to reproduce elsewhere (either you 
have it, or you don't), I chose to keep the 3 changes instead of just the 
removal of the audit_msg() call.

  [Original Description]

  This happens sometimes when installing auditd on Ubuntu 18.04.2, most
  installations work successfully, though. Re-running the install also
  fixes the issue, but the failure breaks our automation. The log from
  the failure looks like this:

  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
   Docs: man:auditd(8)
     https://github.com/linux-audit/audit-documentation
    Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)

  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 
/sbin/audispd pid: 9705
  Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
  Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation 
timed out. Terminating.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 
'stop-sigterm' timed out. Killing.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9702 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9703 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process 
exited, code=killed status=9
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 
'timeout'.
  Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing 
Service.
  dpkg: error processing package 

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-14 Thread Andreas Hasenack
I'm going over the DEP8 failures

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Fix Released
Status in audit source package in Bionic:
  Fix Committed
Status in audit package in Debian:
  New

Bug description:
  [Impact]

  Sometimes, auditd will get stuck when starting up, causing systemd to
  kill it after a while since it (systemd) never got the start
  notification.

  Upstream troubleshooted this to be caused by calling a syslog()
  function inside a signal handler.

  [Test Case]
  There is no reliable test case to reproduce the bug, other than trying the 
fixed packages on an affected system where the hang occurs more frequently.

  Basically:
  sudo systemctl stop auditd
  sudo systemctl start auditd

  should work reliably. Do not run that in a tight loop, however, as
  that will trigger a it's-restarting-too-frequently failure.

  [Where problems could occur]
  - if auditd fails to start, then the first fallback is syslog, and if that is 
not picking up the audit messages, the last resort is the kernel buffer, which 
can fill up. In the case it fills up, audit logs will be lost.

  - it's possible to configure the audit system to panic() the machine
  if audit messages are lost or otherwise not able to be recorded
  (auditctl -f 2; default is 1 which is printk())

  - the update restarts auditd as expected. Misconfiguration on very
  very busy systems could mean that audit logs would be lost during the
  brief moment the service is restarted. If that's the case, this update
  would just be one more way to trigger it, but not be the root cause of
  the problem

  - similarly, as is usual with updates that restart services, it's
  possible than an incorrect configuration for auditd is present, but
  was never loaded before. The restart will load the config, and will
  fail in such a case.

  - this update removes a logging statement that occurs during startup:

  ("dispatcher %d reaped", pid)

  It's unlikely, but possible, that some monitoring software could be
  looking for that message in the logs. It won't be there anymore after
  this update.

  [Other Info]
  The patch is committed upstream and part of the 2.8.5 release, which is 
present in Focal and later.
  The real fix for this bug is just dropping the audit_msg() call in the signal 
handler code. But the original reporter of the bug, who is also who came up 
with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) 
stated that with the 3 changes in the patch the startup hang didn't happen to 
him anymore. Since this bug is difficult to reproduce elsewhere (either you 
have it, or you don't), I chose to keep the 3 changes instead of just the 
removal of the audit_msg() call.

  [Original Description]

  This happens sometimes when installing auditd on Ubuntu 18.04.2, most
  installations work successfully, though. Re-running the install also
  fixes the issue, but the failure breaks our automation. The log from
  the failure looks like this:

  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
   Docs: man:auditd(8)
     https://github.com/linux-audit/audit-documentation
    Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)

  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 
/sbin/audispd pid: 9705
  Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
  Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation 
timed out. Terminating.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 
'stop-sigterm' timed out. Killing.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9702 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9703 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process 
exited, code=killed status=9
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 
'timeout'.
  Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing 
Service.
  dpkg: error processing package auditd (--configure):

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-11 Thread Andreas Hasenack
Package uploaded to the SRU queue

** Changed in: audit (Ubuntu)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  In Progress
Status in audit package in Debian:
  New

Bug description:
  [Impact]

  Sometimes, auditd will get stuck when starting up, causing systemd to
  kill it after a while since it (systemd) never got the start
  notification.

  Upstream troubleshooted this to be caused by calling a syslog()
  function inside a signal handler.

  [Test Case]
  There is no reliable test case to reproduce the bug, other than trying the 
fixed packages on an affected system where the hang occurs more frequently.

  Basically:
  sudo systemctl stop auditd
  sudo systemctl start auditd

  should work reliably. Do not run that in a tight loop, however, as
  that will trigger a it's-restarting-too-frequently failure.

  [Where problems could occur]
  - if auditd fails to start, then the first fallback is syslog, and if that is 
not picking up the audit messages, the last resort is the kernel buffer, which 
can fill up. In the case it fills up, audit logs will be lost.

  - it's possible to configure the audit system to panic() the machine
  if audit messages are lost or otherwise not able to be recorded
  (auditctl -f 2; default is 1 which is printk())

  - the update restarts auditd as expected. Misconfiguration on very
  very busy systems could mean that audit logs would be lost during the
  brief moment the service is restarted. If that's the case, this update
  would just be one more way to trigger it, but not be the root cause of
  the problem

  - similarly, as is usual with updates that restart services, it's
  possible than an incorrect configuration for auditd is present, but
  was never loaded before. The restart will load the config, and will
  fail in such a case.

  - this update removes a logging statement that occurs during startup:

  ("dispatcher %d reaped", pid)

  It's unlikely, but possible, that some monitoring software could be
  looking for that message in the logs. It won't be there anymore after
  this update.

  [Other Info]
  The patch is committed upstream and part of the 2.8.5 release, which is 
present in Focal and later.
  The real fix for this bug is just dropping the audit_msg() call in the signal 
handler code. But the original reporter of the bug, who is also who came up 
with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) 
stated that with the 3 changes in the patch the startup hang didn't happen to 
him anymore. Since this bug is difficult to reproduce elsewhere (either you 
have it, or you don't), I chose to keep the 3 changes instead of just the 
removal of the audit_msg() call.

  [Original Description]

  This happens sometimes when installing auditd on Ubuntu 18.04.2, most
  installations work successfully, though. Re-running the install also
  fixes the issue, but the failure breaks our automation. The log from
  the failure looks like this:

  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
   Docs: man:auditd(8)
     https://github.com/linux-audit/audit-documentation
    Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)

  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 
/sbin/audispd pid: 9705
  Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
  Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation 
timed out. Terminating.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 
'stop-sigterm' timed out. Killing.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9702 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9703 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process 
exited, code=killed status=9
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 
'timeout'.
  Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing 
Service.
  dpkg: error processing package auditd 

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-11 Thread Andreas Hasenack
** Description changed:

  [Impact]
  
  Sometimes, auditd will get stuck when starting up, causing systemd to
  kill it after a while since it (systemd) never got the start
  notification.
  
  Upstream troubleshooted this to be caused by calling a syslog() function
  inside a signal handler.
  
  [Test Case]
  There is no reliable test case to reproduce the bug, other than trying the 
fixed packages on an affected system where the hang occurs more frequently.
  
  Basically:
  sudo systemctl stop auditd
  sudo systemctl start auditd
  
  should work reliably. Do not run that in a tight loop, however, as that
  will trigger a it's-restarting-too-frequently failure.
  
  [Where problems could occur]
  - if auditd fails to start, then the first fallback is syslog, and if that is 
not picking up the audit messages, the last resort is the kernel buffer, which 
can fill up. In the case it fills up, audit logs will be lost.
  
  - it's possible to configure the audit system to panic() the machine if
  audit messages are lost or otherwise not able to be recorded (auditctl
  -f 2; default is 1 which is printk())
  
  - the update restarts auditd as expected. Misconfiguration on very very
  busy systems could mean that audit logs would be lost during the brief
  moment the service is restarted. If that's the case, this update would
  just be one more way to trigger it, but not be the root cause of the
  problem
  
  - similarly, as is usual with updates that restart services, it's
  possible than an incorrect configuration for auditd is present, but was
  never loaded before. The restart will load the config, and will fail in
  such a case.
  
  - this update removes a logging statement that occurs during startup:
  
  ("dispatcher %d reaped", pid)
  
  It's unlikely, but possible, that some monitoring software could be
  looking for that message in the logs. It won't be there anymore after
  this update.
  
  [Other Info]
  The patch is committed upstream and part of the 2.8.5 release, which is 
present in Focal and later.
+ The real fix for this bug is just dropping the audit_msg() call in the signal 
handler code. But the original reporter of the bug, who is also who came up 
with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) 
stated that with the 3 changes in the patch the startup hang didn't happen to 
him anymore. Since this bug is difficult to reproduce elsewhere (either you 
have it, or you don't), I chose to keep the 3 changes instead of just the 
removal of the audit_msg() call.
  
  [Original Description]
  
  This happens sometimes when installing auditd on Ubuntu 18.04.2, most
  installations work successfully, though. Re-running the install also
  fixes the issue, but the failure breaks our automation. The log from the
  failure looks like this:
  
  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
   Docs: man:auditd(8)
     https://github.com/linux-audit/audit-documentation
    Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)
  
  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 
/sbin/audispd pid: 9705
  Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
  Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation 
timed out. Terminating.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 
'stop-sigterm' timed out. Killing.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9702 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9703 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process 
exited, code=killed status=9
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 
'timeout'.
  Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing 
Service.
  dpkg: error processing package auditd (--configure):
   installed auditd package post-installation script subprocess returned error 
exit status 1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Confirmed

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-08 Thread Andreas Hasenack
** Description changed:

  [Impact]
  
-  * An explanation of the effects of the bug on users and
+ Sometimes, auditd will get stuck when starting up, causing systemd to
+ kill it after a while since it (systemd) never got the start
+ notification.
  
-  * justification for backporting the fix to the stable release.
- 
-  * In addition, it is helpful, but not required, to include an
-explanation of how the upload fixes this bug.
+ Upstream troubleshooted this to be caused by calling a syslog() function
+ inside a signal handler.
  
  [Test Case]
+ There is no reliable test case to reproduce the bug, other than trying the 
fixed packages on an affected system where the hang occurs more frequently.
  
-  * detailed instructions how to reproduce the bug
+ Basically:
+ sudo systemctl stop auditd
+ sudo systemctl start auditd
  
-  * these should allow someone who is not familiar with the affected
-package to reproduce the bug and verify that the updated package fixes
-the problem.
+ should work reliably. Do not run that in a tight loop, however, as that
+ will trigger a it's-restarting-too-frequently failure.
  
  [Where problems could occur]
+ - if auditd fails to start, then the first fallback is syslog, and if that is 
not picking up the audit messages, the last resort is the kernel buffer, which 
can fill up. In the case it fills up, audit logs will be lost.
  
-  * Think about what the upload changes in the software. Imagine the change is
-wrong or breaks something else: how would this show up?
+ - it's possible to configure the audit system to panic() the machine if
+ audit messages are lost or otherwise not able to be recorded (auditctl
+ -f 2; default is 1 which is printk())
  
-  * It is assumed that any SRU candidate patch is well-tested before
-upload and has a low overall risk of regression, but it's important
-to make the effort to think about what ''could'' happen in the
-event of a regression.
+ - the update restarts auditd as expected. Misconfiguration on very very
+ busy systems could mean that audit logs would be lost during the brief
+ moment the service is restarted. If that's the case, this update would
+ just be one more way to trigger it, but not be the root cause of the
+ problem
  
-  * This must '''never''' be "None" or "Low", or entirely an argument as to why
-your upload is low risk.
+ - this update removes a logging statement that occurs during startup:
  
-  * This both shows the SRU team that the risks have been considered,
-and provides guidance to testers in regression-testing the SRU.
+ ("dispatcher %d reaped", pid)
+ 
+ It's unlikely, but possible, that some monitoring software could be
+ looking for that message in the logs. It won't be there anymore after
+ this update.
+ 
  
  [Other Info]
-  
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
-  * and address these questions in advance
+ The patch is committed upstream and part of the 2.8.5 release, which is 
present in Focal and later.
  
  
  [Original Description]
  
- 
- This happens sometimes when installing auditd on Ubuntu 18.04.2, most 
installations work successfully, though. Re-running the install also fixes the 
issue, but the failure breaks our automation. The log from the failure looks 
like this:
+ This happens sometimes when installing auditd on Ubuntu 18.04.2, most
+ installations work successfully, though. Re-running the install also
+ fixes the issue, but the failure breaks our automation. The log from the
+ failure looks like this:
  
  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
   Docs: man:auditd(8)
     https://github.com/linux-audit/audit-documentation
    Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)
  
  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 
/sbin/audispd pid: 9705
  Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
  Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation 
timed out. Terminating.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 
'stop-sigterm' timed out. Killing.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9702 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-08 Thread Andreas Hasenack
Yikes @Kodiak, sounds painful :(

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Confirmed
Status in audit package in Debian:
  New

Bug description:
  [Impact]

   * An explanation of the effects of the bug on users and

   * justification for backporting the fix to the stable release.

   * In addition, it is helpful, but not required, to include an
 explanation of how the upload fixes this bug.

  [Test Case]

   * detailed instructions how to reproduce the bug

   * these should allow someone who is not familiar with the affected
 package to reproduce the bug and verify that the updated package fixes
 the problem.

  [Where problems could occur]

   * Think about what the upload changes in the software. Imagine the change is
 wrong or breaks something else: how would this show up?

   * It is assumed that any SRU candidate patch is well-tested before
 upload and has a low overall risk of regression, but it's important
 to make the effort to think about what ''could'' happen in the
 event of a regression.

   * This must '''never''' be "None" or "Low", or entirely an argument as to why
 your upload is low risk.

   * This both shows the SRU team that the risks have been considered,
 and provides guidance to testers in regression-testing the SRU.

  [Other Info]
   
   * Anything else you think is useful to include
   * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
   * and address these questions in advance

  
  [Original Description]

  
  This happens sometimes when installing auditd on Ubuntu 18.04.2, most 
installations work successfully, though. Re-running the install also fixes the 
issue, but the failure breaks our automation. The log from the failure looks 
like this:

  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
     Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
   Docs: man:auditd(8)
     https://github.com/linux-audit/audit-documentation
    Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)

  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 
/sbin/audispd pid: 9705
  Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
  Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation 
timed out. Terminating.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 
'stop-sigterm' timed out. Killing.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9702 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9703 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process 
exited, code=killed status=9
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 
'timeout'.
  Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing 
Service.
  dpkg: error processing package auditd (--configure):
   installed auditd package post-installation script subprocess returned error 
exit status 1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1848330/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-08 Thread Andreas Hasenack
** Description changed:

- This happens sometimes when installing auditd on Ubuntu 18.04.2, most
- installations work successfully, though. Re-running the install also
- fixes the issue, but the failure breaks our automation. The log from the
- failure looks like this:
+ [Impact]
+ 
+  * An explanation of the effects of the bug on users and
+ 
+  * justification for backporting the fix to the stable release.
+ 
+  * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+ 
+ [Test Case]
+ 
+  * detailed instructions how to reproduce the bug
+ 
+  * these should allow someone who is not familiar with the affected
+package to reproduce the bug and verify that the updated package fixes
+the problem.
+ 
+ [Where problems could occur]
+ 
+  * Think about what the upload changes in the software. Imagine the change is
+wrong or breaks something else: how would this show up?
+ 
+  * It is assumed that any SRU candidate patch is well-tested before
+upload and has a low overall risk of regression, but it's important
+to make the effort to think about what ''could'' happen in the
+event of a regression.
+ 
+  * This must '''never''' be "None" or "Low", or entirely an argument as to why
+your upload is low risk.
+ 
+  * This both shows the SRU team that the risks have been considered,
+and provides guidance to testers in regression-testing the SRU.
+ 
+ [Other Info]
+  
+  * Anything else you think is useful to include
+  * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
+  * and address these questions in advance
+ 
+ 
+ [Original Description]
+ 
+ 
+ This happens sometimes when installing auditd on Ubuntu 18.04.2, most 
installations work successfully, though. Re-running the install also fixes the 
issue, but the failure breaks our automation. The log from the failure looks 
like this:
  
  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
-Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
-Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
-  Docs: man:auditd(8)
-https://github.com/linux-audit/audit-documentation
-   Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)
+    Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
+    Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
+  Docs: man:auditd(8)
+    https://github.com/linux-audit/audit-documentation
+   Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)
  
  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 
/sbin/audispd pid: 9705
  Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
  Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation 
timed out. Terminating.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 
'stop-sigterm' timed out. Killing.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9702 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9703 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process 
exited, code=killed status=9
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 
'timeout'.
  Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing 
Service.
  dpkg: error processing package auditd (--configure):
-  installed auditd package post-installation script subprocess returned error 
exit status 1
+  installed auditd package post-installation script subprocess returned error 
exit status 1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Confirmed
Status in audit package in Debian:
  New

Bug description:
  [Impact]

   * An explanation of the effects of the bug on users and

   * justification for backporting the fix to the stable release.

   * In addition, it is helpful, but not required, to include an
 explanation of how the upload fixes this bug.

  [Test Case]

   * detailed instructions how to reproduce the bug

   * these should allow someone who is not familiar with the affected
 

[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst

2021-01-08 Thread Andreas Hasenack
I'm having difficulties reproducing the bug, to validate the patch. I
build bionic test packages with the patch mentioned earlier, if someone
wants to test: https://launchpad.net/~ahasenack/+archive/ubuntu/audit-
startup-hang-1848330

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1848330

Title:
  Installing auditd sometimes fails in post-inst

Status in audit package in Ubuntu:
  Confirmed
Status in audit package in Debian:
  New

Bug description:
  This happens sometimes when installing auditd on Ubuntu 18.04.2, most
  installations work successfully, though. Re-running the install also
  fixes the issue, but the failure breaks our automation. The log from
  the failure looks like this:

  # apt install auditd
  ...
  Setting up auditd (1:2.8.2-1ubuntu1) ...
  Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → 
/lib/systemd/system/auditd.service.
  Job for auditd.service failed because a timeout was exceeded.
  See "systemctl status auditd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript auditd, action "start" failed.
  ● auditd.service - Security Auditing Service
 Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms 
ago
   Docs: man:auditd(8)
 https://github.com/linux-audit/audit-documentation
Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)

  Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing 
Service...
  Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: 
/sbin/audispd pid: 9705
  Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
  Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation 
timed out. Terminating.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 
'stop-sigterm' timed out. Killing.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9702 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 
9703 (auditd) with signal SIGKILL.
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process 
exited, code=killed status=9
  Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 
'timeout'.
  Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing 
Service.
  dpkg: error processing package auditd (--configure):
   installed auditd package post-installation script subprocess returned error 
exit status 1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1848330/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


  1   2   3   4   5   6   7   8   >